Apple recently paid $75,000 to a white hat hacker that identified multiple zero-day vulnerabilities in its macOS and iPhone devices.
A zero-day exploit is a security hole that is unknown to the software developer and the public, but one that may already be known by hackers that are working to exploit it.
Forbes reports that security researcher Ryan Pickren reportedly discovered the vulnerabilities in Safari after he decided to “hammer the browser with obscure corner cases” until it started exhibiting “weird behavior.”
Pickren found seven exploits in Safari (CVE-2020-3852, CVE-2020-3864, CVE-2020-3865, CVE-2020-3885, CVE-2020-3887, CVE-2020-9784, & CVE-2020-9787) of which three could be used in the camera hacking kill chain.
“A bug like this shows why users should never feel totally confident that their camera is secure,” Pickren said, “regardless of operating system or manufacturer.”
Picken reported his discoveries through Apple’s Bug Bounty Program in December 2019. Apple validated all seven bugs and shipped a fix for the camera kill chain a few weeks later. The camera exploit was patched in Safari 13.0.5, which was released on January 28. The remaining zero-day vulnerabilities, which Apple judged to be less severe, were patched in Safari 13.1, which was released on March 24.
Apple opened its bug bounty program to all security researchers in December 2019. Prior to that date the bug bounty program was by invitation only and was limited to iOS devices. The Cupertino firm also increased the maximum bounty from $200,000 per exploit to $1 million, depending on the severity of the security flaw.
“I really enjoyed working with the Apple product security team when reporting these issues,” Pickren told Forbes, “the new bounty program is absolutely going to help secure products and protect customers. I’m really excited that Apple embraced the help of the security research community.”
In order to be eligible for an Apple Security Bounty, the issue must occur on the latest publicly available versions of iOS, iPadOS, macOS, tvOS, or watchOS with a standard configuration and, where relevant, on the latest publicly available hardware. These eligibility rules are meant to protect customers until an update is available, ensure Apple can quickly verify reports and create necessary updates, and properly reward those doing original research. Researchers must:
- Be the first party to report the issue to Apple Product Security.
- Provide a clear report, which includes a working exploit (detailed below).
- Not disclose the issue publicly before Apple releases the security advisory for the report. (Generally, the advisory is released along with the associated update to resolve the issue). See terms and conditions.
Issues that are unknown to Apple and are unique to designated developer betas and public betas, including regressions, can result in a 50% bonus payment. Qualifying issues include:
- Security issues introduced in certain designated developer beta or public beta releases, as noted on this page when available. Not all developer or public betas are eligible for this additional bonus.
- Regressions of previously resolved issues, including those with published advisories, that have been reintroduced in a developer beta or public beta release, as noted on this page when available.
For more information about the Apple bug bounty program, visit the Apple Developer website.