New vulnerability on Mac provides full access to iCloud accounts, PayPal and more of the affected users, as well as granting access to their microphone, camera and screen. The greatest reward ever delivered by Apple

This week, a young cybersecurity researcher demonstrated how to hack the webcams of Mac devices to leave the devices completely open to other attack variants. Ryan Pickren submitted his report to Apple through its rewards program, earning $100,500 USD for his report, the largest reward the company has ever delivered.

The young researcher mentions that the vulnerability in webcams exists due to a set of issues in iCloud and Safari that threat actors could exploit to launch dangerous cyberattacks.

Successful exploitation would have allowed malicious hackers to freely access all of the affected user’s online accounts, from iCloud to PayPal, plus the ability to manipulate the microphone, webcam, and screen of the compromised device. Pickren mentioned that Apple has already addressed the flaw.

In his tests, the researcher exploited the “webarchive” files of Safari, the system that the browser uses to save local copies of websites: “A surprising feature of these files is that they specify the web source in which the content should be rendered. The hack allows Safari to reconstruct the context of the saved website; if an attacker can modify this file in any way, they could deploy a universal cross-site scripting (XSS) attack,” he says.

At first, Apple did not consider that this error could be exploited, since users would have to download the webarchive and open it, a mechanism implemented for more than a decade, at an early stage of Safari. However, Apple has had to address the flaw after Pickren submitted its report, acknowledging the potential for exploitation.

Officially, Apple’s rewards program can award up to $1 million USD for the most severe failure reports, classifying these errors according to various company criteria. Researchers are not required to publicly disclose how much money they have received from Apple, although this practice has become common in the cybersecurity community.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.