A security researcher who uncovered more than half a dozen zero-day vulnerabilities in the Safari browser earned $75 from Apple's Bug Bounty program. Some of these bugs could allow attackers to access the webcam on Mac computers, as well as the video camera on iPhone and iPad mobile devices.
Ryan Pickren about vulnerabilities in several publications on his website. In total, he found seven vulnerabilities (CVE-2020-3852, CVE-2020-3864, CVE-2020-3865, CVE-2020-3885, CVE-2020-3887, CVE-2020-9784 and CVE-2020-9787), three of which were directly related to possible camera hacking on MacOS and iOS devices.
A security flaw in the browser allowed a hacker to fool Safari into thinking the malicious site was trusted. Appropriate JavaScript code with the ability to create a pop-up window (for example, a stand-alone website, an embedded banner ad, or a browser extension) can launch this attack. The hacker uses his identity data to compromise the user's privacy, thanks in part to Apple allowing users to store per-website security settings. As a result, a malicious website could impersonate a trusted video conferencing portal such as Skype or Zoom and then gain access to the user's camera.
Pickren sent the results of his research to Apple, which resulted in an update to Safari in January (version 13.0.5) that fixed three security vulnerabilities. Then in March, Apple released another update (version 13.1) that closed the remaining security holes.
For those who need more details, the "bughunter" has detailed the hacking process on his blog, where the technical details are laid out. As for the Apple Bug Bounty program, payouts for found bugs range from $5000 (minimum) to $1 million.
Source: 3dnews.ru