Hacker Discovers Multiple Zero-Day Vulnerabilities in Safari
Over the weekend, security researcher Ryan Pickren posted details about no less than seven zero-day security vulnerabilities he discovered in Safari. Using three of them, he was able to construct a “kill chain” to successfully hack the webcam of an iPhone or MacBook. A zero-day vulnerability is a computer software vulnerability that has not been fixed by the software’s creators. Until such vulnerabilities are fixed, attackers can exploit them to affect computer programs, data, additional computers or networks. Day Zero is the day on which the owners of the software learn about the vulnerability. In his blog post, Ryan Pickren describes how he was able to trick the browser and certain sites by masquerading as a trusted video-conferencing website, such as Skype or Zoom. If the device had previously given such website permission to use the camera and microphone, a fake website could exploit the same flaw to gain direct, unauthorized access to the victim’s camera and microphone.
Bug Reported to Apple
Ryan Pickren reported the issues to Apple in mid-December through the company’s Security Bounty program. This program rewards researchers who share critical issues and the techniques they used with Apple. Security researches usually provide companies 90 days to fix the issue before making a public disclosure. Apple has several Bounty Categories. For each category a maximum payment amount is set. Bounty payments vary from $25,000 for, for example, limited unauthorized control of an iCloud account, to $1,000,000 in case of a network attack that requires no user interaction. Apple deemed that Ryan Pickren’s exploit falls into the category “Network Attack without User Interaction: Zero-Click Unauthorized Access to Sensitive Data”. They awarded him $75,000 for his discovery.
Camera Exploit Patched
A few weeks later, on January 28, Apple patched the camera exploit with its Safari 13.0.5 update. Apple fixed the remaining zero-day vulnerabilities, which they found to be less severe, in the Safari 13.0 release on March 24. The most important take-away according to Ryan Pickren? “Users should never feel totally confident that their camera is secure, irrespective of which OS or device they are using.” Also, install updates as soon as they become available.
Who is Ryan Pickren?
Ryan Pickren graduated with Highest Honors from the Georgia Institute of technology. In 2014, as a student, he gained notoriety for hacking the University of Georgia’s website. After gaining access, he added an event to the school’s calendar. Unfortunately, this bit of “school rivalry” eventually led to a felony computer trespass charge. Consequently, Ryan faced the potential of 15 years imprisonment and a $50,000 fine. Luckily, justice took mercy on the student and Ryan Pickren found more productive, legal ways to put his technical talents to use. He decided to help companies via their Bug Bounty Programs. For his first big win he received over $300,000 worth of Airmiles from United Airlines for helping them secure their website. In the past couple of years, Ryan Pickren donated most of his airmiles to educational and non-profit organizations. Ryan also created a physical Starbucks button that orders the user’s favorite drink in one click.