A security researcher is being rewarded handsomely after he discovered a massive iOS and MacOS camera flaw that would allow bad actors to hijack the camera and microphone in any iPhone or Mac computer, and use it to spy on you.
The vulnerability, actually a series of three vulnerabilities used together, were discovered by security researcher and ‘white hat hacker’ Ryan Pickren in mid-December, and were quickly validated and patched by Apple over the past three months.
According to WIRED, all three bugs had to do with the Safari browser, which could be tricked into allowing an attacker to access your camera and microphone remotely, simply by convincing you, the user, to click one malicious link. This malicious link or website could then “pretend” to be an app that had already been granted microphone and camera permissions—such as Skype—allowing the attacker full access to your camera, microphone, and even screen sharing.
This methodology side-stepped all of Apple’s built-in security measures for your camera, your microphone, and even Safari itself by simply pretending to be another site or app that already has permission—a task Pickren described as simply “wiggling around” until he found a variation on a link that “confused” Safari.
Fortunately, Pickren disclosed the bugs to Apple, who was able to patch all of the vulnerabilities in January and March before paying Pickren a cool $75,000 “bug bounty” for his trouble. That’s why we’re just hearing about these bugs now, when just about everyone should be protected; but if you haven’t updated your iPhone or Mac in the past few months, we suggest you do that right now.
Image credits: Photo by @twelve_mp, CC0