Report a security or privacy vulnerability

If you believe that you have discovered a security or privacy vulnerability in an Apple product, please report it to us.

If you need technical support for a security issue — for example, to reset your Apple ID password or to review a recent App Store charge — view the Get help with security issues support article or visit Apple Support .

If you have questions or concerns about Apple’s Privacy Policy or data processing, you can ask us about privacy .

How to report a security or privacy vulnerability

If you believe that you've discovered a security or privacy vulnerability that affects Apple devices, software, or services, please report it directly to us on the web at Apple Security Research .

Reports should include specific product and software version(s) that you believe are affected; a technical description of the behavior that you observed and the behavior that you expected; the steps required to reproduce the issue; and a proof of concept or exploit.

After you submit your research on the web, you can track the progress of your report as it's being reviewed. We evaluate all eligible research for Apple Security Bounty rewards.

How Apple handles these reports

For the protection of our customers, Apple doesn't disclose or discuss security issues until our investigation is complete and any necessary updates are generally available.

Apple uses security advisories and our security-announce mailing list to publish information about security fixes in our products and to publicly credit people or organizations that have reported security issues to us. We also credit researchers who have reported security issues with our web servers on the Apple web server security acknowledgements page.

Alternatively, you can send your research to us via email at [email protected] . Please make sure that you include the information covered above. If your report doesn't include enough information to allow us to reproduce the issue, we may not be able to accept your report or evaluate it for a reward. And if you submit your report via email, you will not be able to track progress online. Please use Apple Product Security PGP key to encrypt any sensitive information that you send via email, and use Mail Drop to send large files .

Information about products not manufactured by Apple, or independent websites not controlled or tested by Apple, is provided without recommendation or endorsement. Apple assumes no responsibility with regard to the selection, performance, or use of third-party websites or products. Apple makes no representations regarding third-party website accuracy or reliability. Contact the vendor for additional information.

safari bug bounty

Explore Apple Support Community

Find what’s been asked and answered by Apple customers.

safari bug bounty

Contact Apple Support

Need more help? Save time by starting your support request online and we'll connect you to an expert.

To revisit this article, visit My Profile, then View saved stories .

  • Backchannel
  • Newsletters
  • WIRED Insider
  • WIRED Consulting

Lily Hay Newman

Safari Flaws Exposed Webcams, Online Accounts, and More

girl on laptop

Usually the worst thing that happens when you have dozens of browser tabs open is you can't find the one that suddenly starts blasting random ads. But a group of macOS vulnerabilities—fixed by Apple at the end of last year—could have exposed your Safari tabs and other browser settings to attack, opening the door for hackers to grab control of your online accounts, turn on your microphone, or take over your webcam.

MacOS has built-in protections to prevent this sort of attack, including Gatekeeper, which confirms the validity of the software your Mac runs. But this hack got around those safeguards by abusing iCloud and Safari features that macOS already trusts. While poking for potential weaknesses in Safari, independent security researcher Ryan Pickren started looking at iCloud's document-sharing mechanism because of the trust inherent between iCloud and macOS. When you share an iCloud document with another user, Apple uses a behind-the-scenes app called ShareBear to coordinate the transfer. Pickren found that he could manipulate ShareBear to offer victims a malicious file. 

In fact, the file itself doesn't even have to be malicious at first, making it easier to offer victims something compelling and trick them into clicking. Pickren found that because of the trusted relationship between Safari, iCloud, and ShareBear, an attacker could actually revisit what they shared with a victim later and silently swap the file for a malicious one. All of this can happen without the victim receiving a new prompt from iCloud or realizing that anything has changed. 

Once the hacker has staged the attack, they can essentially take over Safari, see what the victim sees, access the accounts the victim is logged into, and abuse permissions the victim has granted websites to access their camera and microphone. An attacker could also access other files stored locally on the victim's Mac.

“The attacker is basically punching a hole in the browser,” says Ryan Pickren, the security researcher who disclosed the vulnerabilities to Apple. “So if you’re signed in to Twitter.com on one tab, I could jump into that and do everything you can from Twitter.com. But that’s nothing to do with Twitter’s servers or security; I as the attacker am just assuming the role that you already have in your browser.”

In October, Apple patched the vulnerability in Safari's WebKit engine and made revisions in iCloud. And in December it patched a related vulnerability in its Script Editor code automation and editing tool.

“This is an impressive exploit chain,” says Patrick Wardle, a longtime researcher and founder of the macOS security nonprofit Objective-See. “It's clever that it exploits design flaws and creatively uses built-in macOS capabilities to circumvent defense mechanisms and compromise the system.”

Pickren previously discovered a series of Safari bugs that could have enabled webcam takeovers . He disclosed the new findings through Apple's bug bounty program in mid-July, and the company awarded him $100,500. The amount is not unprecedented for Apple's disclosure program, but its size reflects the severity of the flaws. In 2020, for example, the company paid out $100,000 for a crucial flaw in its Sign In With Apple single sign-on system.

Inside the Creation of the World’s Most Powerful Open Source AI Model

Will Knight

The Baltimore Bridge Collapse Is About to Get Even Messier

Aarian Marshall

The Earth Will Feast on Dead Cicadas

Safari and Webkit, though, have a particular set of security challenges because they are such massive platforms. And Apple has had a difficult time getting a handle on the problem, even when vulnerabilities are public for weeks or months. 

“As systems become more complex, they introduce more bugs, and that’s especially true for web browsers these days,” Pickren says. “Safari can do so many things, it’s really no surprise that there are going to be more bugs as more features come out.”

Such bugs may be common, but that doesn't make them any less serious. Attackers regularly take advantage of browser vulnerabilities for both criminal and nation-state hacking. For example, they are commonly exploited in watering hole attacks that target visitors of tainted websites. And hackers actively use unpatched “zero-day” browser vulnerabilities they've discovered or purchased, along with older bugs that they can exploit opportunistically when targets haven't updated their browsers. 

“A bug like this really stresses how crucial it is to keep your browser up to date,” Pickren says. “It's an easy thing to push off, but it's ultra-important.”

It's solid advice, regardless of your browser of choice.

  • 📩 The latest on tech, science, and more: Get our newsletters !
  • The quest to trap CO 2 in stone—and beat climate change
  • The trouble with Encanto ? It twerks too hard
  • Here's how Apple's iCloud Private Relay works
  • This app gives you a tasty way to fight food waste
  • Simulation tech can help predict the biggest threats
  • 👁️ Explore AI like never before with our new database
  • ✨ Optimize your home life with our Gear team’s best picks, from robot vacuums to affordable mattresses to smart speakers

safari bug bounty

Andrew Couts

The Privacy Danger Lurking in Push Notifications

Andy Greenberg

The DOJ Puts Apple's iMessage Encryption in the Antitrust Crosshairs

Dhruv Mehrotra

Hackers Behind the Change Healthcare Ransomware Attack Just Received a $22 Million Payment

Matt Burgess

How to Turn Off Facebook’s Two-Factor Authentication Change

Reece Rogers

Prototype pollution

Prototype pollution project yields another Parse Server RCE

Prototype-pollution

Bug Bounty Radar

The latest programs for February 2023

Bug bounties

All Day DevOps

AppSec engineer keynote says Log4j revealed lessons were not learned from the Equifax breach

DevOps

Infosec beginner?

A rough guide to launching a career in cybersecurity

cyber-career

Cybersecurity conferences

A schedule of events in 2022 and beyond

More topics

Safari vulnerabilities created means for attackers to covertly access iPhone cameras

Ad banner hijack exploit earns security researcher $75,000 bug bounty

safari bug bounty

UPDATED A series of recently patched security vulnerabilities impacting Apple’s Safari web browser created a means for unauthorized websites to access the camera on iPhones, iPads, and macOS computers.

Security researcher Ryan Pickren earned a $75,000 bug bounty from Apple for uncovering the seven Safari bugs, including a set of three flaws that, when combined, allowed the creation of a one-click malicious JavaScript-to-webcam access exploit.

Both the iOS and macOS versions of its Safari were affected by the privacy -busting exploit chain.

Pickren reported the security bugs to Apple, which patched the vulnerabilities in a series of updates released in February and March this year.

Apple confirmed the exploit, filing the research under the ‘ Zero-Click Unauthorized Access to Sensitive Data ’ category of its bug bounty program, and awarding Pickren $75,000 for his discoveries.

Blink and you’ll miss it

Before they were resolved, the vulnerabilities could have allowed a specially-crafted website ad banner to hijack a user’s camera and microphone and spy on them.

This was possible because Apple’s browser technology mistakenly allowed unauthorized websites to pose as a trusted video conferencing website such as Skype or Zoom .

Flaws in how Safari was parsing URIs, managing web origins, and initializing secure contexts meant that any JavaScript code with the ability to create a popup (such as a standalone website, embedded ad banner, or even browser extension) could directly access Safari user’s webcam without asking for permission.

“This vulnerability allowed malicious websites to masquerade as trusted websites when viewed on Desktop Safari (like on Mac computers) or Mobile Safari (like on iPhones or iPads),” Pickren explained in a blog post summarizing his vulnerability finds.

“Hackers could then use their fraudulent identity to invade users' privacy. This worked because Apple lets users permanently save their security settings on a per-website basis .

“If the malicious website wanted camera access, all it had to do was masquerade as a trusted video-conferencing website such as Skype or Zoom,” he added.

Pickren has put together a detailed technical walkthrough of his latest vulnerability discoveries.

Going on Safari

Pickren told The Daily Swig how he approached this Safari research project.

“I began the camera hunt when I realized that Safari was not using web origins to save website permission settings. URI parsing is really tough to get 100% right, so I figured it was worth looking into.”

The security researchers rates the seriousness of the flaw as higher than most that periodically affect mobile browser technology.

Pickren explained: “In my opinion, this bug is more serious than the typical bugs you might find in web or mobile apps. This bug effected the most popular mobile web browser in the US and impacted millions of users.

“The Apple product security team was a pleasure to work with and I look forward to continuing to participate in their bounty program,” he concluded.

This story was updated to add comment from Ryan Pickren.

RELATED Out on Safari: Apple touts third-party cookie blocking in WebKit browser engine

John Leyden

John Leyden

We’re going teetotal – It’s goodbye to The Daily Swig

Indian gov flaws allowed creation of counterfeit driving licenses, related stories, chromium bug allowed samesite cookie bypass on android devices, deserialized web security roundup.

Apple pays major bug bounty to fix Safari flaw that hacked your webcam

One day you're downloading a cute .PNG file, the next, your camera is turning on by itself

Safari

A cybersecurity researcher has uncovered a dangerous flaw in Apple ’s macOS, which enabled attackers to access the victims’ logged-in online accounts and even get into their webcams .

The flaw, which Ryan Pickren reported to the Cupertino giants last summer, was patched earlier this month, while Pickren got to go home with a $100,000 bounty. 

The bug, a universal cross-site scripting (UXSS) flaw, resided in the OS’ browser , Safari . 

Full access

Explaining the end result to The Register , Picker said it grants the attacker "full access to every website you've visited in Safari, meaning that if you're visiting my evil website on one tab, and then your other tab, you have Twitter open, I can jump into that tab and do everything you can from that screen. So it does allow me to fully perform an account takeover on every website you visited in Safari."

Here’s how it works (as short of an explanation as it can be): Safari has a number of custom URI schemes, such as mailto:, s3:, and so on. One of them is called icloud -sharing:, and triggering it opens up ShareBear, an internal macOS app designed for document sharing via iCloud. A website, for example, can trigger it, and have Safari load content hosted elsewhere.

Running malicious webarchives

This wouldn’t be a problem, were it not for a simple fact that the downloaded files could later be altered by the author. So, a victim could download an innocent .PNG file, only to have it transform into a malicious webarchive file.

“In essence, the victim has given the attacker permission to plant a polymorphic file onto their machine and the permission to remotely launch it at any moment. Yikes. Agreed to view my PNG file yesterday? Well today it's an executable binary that will be automatically launched whenever I want,” Picker explained in a further blog post .

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

> Apple patches Safari bug that leaked user data > Safari 15 may have a serious security flaw, and there's no patch in sight > The rise of data privacy concerns  

To open the webarchive file, Pickren further explains, he needed to bypass the Gatekeeper restriction, which turned out to be relatively simple. He did it via a custom webpage, which can launch a JavaScript in an arbitrary origin (think facebook.com). That allowed him, among other things, to turn on the camera. 

To fix the problem, Apple did two things: First - it made ShareBear just reveal downloaded files, rather than launch them, in macOS Monterey 12.0.1. Second - it patched Safari’s engine WebKit to stop downloaded webarchives from being opened. 

  • You might also want to check out our list of the best firewalls right now

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Python devs are being targeted by this massive infostealing malware campaign

Microsoft says Russian companies will be forced off its cloud services within days

The Emma mattress brand's new Spotify album is scientifically designed to help you fall asleep – and trust me, it works

Most Popular

By Wayne Williams March 25, 2024

By Cesar Cadenas March 25, 2024

By Roland Moore-Colyer March 25, 2024

By Mackenzie Frazier March 25, 2024

By Alex Whitelock March 25, 2024

By Luke Hughes March 25, 2024

By Darren Allan March 25, 2024

By Kristina Terech March 25, 2024

By Mark Wilson March 25, 2024

By Carrie Marshall March 25, 2024

  • 2 I watched Top Gun: Maverick on a 29-channel speaker system with 16 subwoofers at the McIntosh House of Sound, and the experience was otherworldly
  • 3 Forget Amazon: LG's stunning C3 OLED TV is down to a record-low price at Best Buy
  • 4 Netflix's Succession-esque new show, A Man in Full, gets its first mysterious trailer
  • 5 Windows 11 is getting a controversial Windows 10 feature that some people accuse of being pointless bloat
  • 2 Best Buy launches massive March Madness TV sale - up to $900 off Samsung, LG and TLC
  • 3 Now is the perfect time for Microsoft to resurrect Windows 8 - for one simple reason
  • 4 Buying a new TV in 2024? Make it a Sony
  • 5 Mysterious Huawei CPU test results emerge online and you're in for a shock — if true, the improvements mean that Huawei is not far behind AMD Epyc or Intel Xeon

Apple Security Bounty. Upgraded.

We started Apple Security Bounty with one steadfast goal: to recognize and reward the security community for sharing research with us to help protect our users. We invited a small group of researchers to join the program when it launched in 2016, and we received so many helpful submissions that we opened it to all researchers in late 2019. Today we’d like to share our first update on our progress and the improvements we’ve made, many based on feedback from researchers, as we continue to work on this important mission.

In the past two and a half years since opening our program, we’re incredibly proud to have awarded researchers nearly $20 million in total payments, with an average payout of $40,000 in the Product category, and including 20 separate rewards over $100,000 for high-impact issues. To our knowledge, this makes Apple Security Bounty the fastest-growing bounty program in industry history.

During this time, our team has worked closely with researchers around the world, and we’ve learned about some things we can do better.

First, we’re responding much more quickly . At times we received many more submissions than we anticipated, so we’ve grown our team and worked hard to be able to complete an initial evaluation of nearly every report we receive within two weeks, and most within six days.

Next, we’re making it easier for researchers to report issues and communicate with our teams. Our Apple Security Research site includes a new way to send us research on the web and get real-time status updates. Just sign in with your Apple ID and follow the prompts to send us a detailed report. You can then track the progress of your report and communicate securely with Apple engineers as we investigate.

MacBook Pro showing a conversation with Apple Product Security

Anytime there’s a change to the status of your report, it’s immediately reflected in the new tracker . If we have a specific update or need more information, you’ll also get an email notification. And if we make changes to the security of our devices or services based on your report, we’ll keep you up to date on the details, and let you decide how you’d like us to credit your work. We evaluate all eligible reports for Apple Security Bounty, and if your report receives a reward, we’ll notify you right away — both in the tracker and by email.

iPhone showing an Apple Security Bounty reward notification

We’re also providing more transparency . Our site now includes detailed Apple Security Bounty information and evaluation criteria. Bounty categories include ranges and examples, so you can determine where you’d like to focus your research, and so you can anticipate whether your report qualifies for a particular reward. We’ve provided ranges for submissions that impact Apple services and infrastructure, as well as our products.

Starting today through November 30, 2022, we’re also accepting applications for the 2023 Apple Security Research Device Program . This program features an iPhone exclusively dedicated to security research, and can help you get started, go deeper, or improve the efficiency of your research work with iOS.

Thank you for all your contributions to Apple security research and for helping us protect the users of over 1.8 billion devices around the world. With your support and feedback, we’ll keep working to make our security research programs the best in the industry. We have much more planned for the coming year, including an expanded research scope for Apple Security Bounty and other program enhancements. Along the way, we’ll share program updates—as well as unprecedented technical detail about some of our most important security engineering work—right here on this site. And we start today, with a post on critical memory safety improvements we’ve made in the XNU kernel .

VPNoverview.com News Ethical Hacker Uncovers Multiple Security Flaws in Apple Safari – Receives $75,000 Bounty

Ethical Hacker Uncovers Multiple Security Flaws in Apple Safari – Receives $75,000 Bounty

Sandra Gyles

Apple has paid ethical hacker Ryan Pickren a bug bounty of $ 75,000. The researcher discovered multiple zero-day security vulnerabilities in Apple Safari. These flaws would allow a malicious attacker to take unauthorized control of an iPhone’s or Macbook’s webcam from a distance.

Hacker Discovers Multiple Zero-Day Vulnerabilities in Safari

Over the weekend, security researcher Ryan Pickren posted details about no less than seven zero-day security vulnerabilities he discovered in Safari. Using three of them, he was able to construct a “kill chain” to successfully hack the webcam of an iPhone or MacBook.

A zero-day vulnerability is a computer software vulnerability that has not been fixed by the software’s creators. Until such vulnerabilities are fixed, attackers can exploit them to affect computer programs, data, additional computers or networks. Day Zero is the day on which the owners of the software learn about the vulnerability.

In his blog post, Ryan Pickren describes how he was able to trick the browser and certain sites by masquerading as a trusted video-conferencing website, such as Skype or Zoom . If the device had previously given such website permission to use the camera and microphone, a fake website could exploit the same flaw to gain direct, unauthorized access to the victim’s camera and microphone .

Bug Reported to Apple

Ryan Pickren reported the issues to Apple in mid-December through the company’s Security Bounty program . This program rewards researchers who share critical issues and the techniques they used with Apple. Security researches usually provide companies 90 days to fix the issue before making a public disclosure.

Apple has several Bounty Categories. For each category a maximum payment amount is set. Bounty payments vary from $25,000 for, for example, limited unauthorized control of an iCloud account, to $1,000,000 in case of a network attack that requires no user interaction.

Apple deemed that Ryan Pickren’s exploit falls into the category “Network Attack without User Interaction: Zero-Click Unauthorized Access to Sensitive Data”. They awarded him $75,000 for his discovery.

Camera Exploit Patched

A few weeks later, on January 28, Apple patched the camera exploit with its Safari 13.0.5 update. Apple fixed the remaining zero-day vulnerabilities, which they found to be less severe, in the Safari 13.0 release on March 24.

The most important take-away according to Ryan Pickren? “Users should never feel totally confident that their camera is secure, irrespective of which OS or device they are using.”

Also, install updates as soon as they become available.

Who is Ryan Pickren?

Ryan Pickren graduated with Highest Honors from the Georgia Institute of technology. In 2014, as a student, he gained notoriety for hacking the University of Georgia’s website. After gaining access, he added an event to the school’s calendar. Unfortunately, this bit of “school rivalry” eventually led to a felony computer trespass charge. Consequently, Ryan faced the potential of 15 years imprisonment and a $50,000 fine.

Luckily, justice took mercy on the student and Ryan Pickren found more productive, legal ways to put his technical talents to use. He decided to help companies via their Bug Bounty Programs.

For his first big win he received over $300,000 worth of Airmiles from United Airlines for helping them secure their website. In the past couple of years, Ryan Pickren donated most of his airmiles to educational and non-profit organizations. Ryan also created a physical Starbucks button that orders the user’s favorite drink in one click.

Sandra Gyles

Sandra Gyles Author

Tech journalist.

Sandra has many years of experience in the IT and tech sector as a communication specialist. For VPNOverview she follows relevant cybercrime and online privacy developments and she rigorously tests the quality of VPN services.

Share this article

More articles from the news section.

Miami Open Finals 2024 Featured Image

How to Watch the Miami Open Finals 2024 for Free Online

NordVPN New Servers

NordVPN Expands Its Server Network to Cover More Than Half of the Countries in the World

Spain Retracts Telegram Ban Decision

Spain Backtracks on Decision to Ban Telegram: How to Bypass a Telegram Ban

Looking for a vpn.

Take a look at our overview of the most trustworthy, fast, and safe VPN services. Extensively tested by our experts.

Looking for a VPN?

#Galaxy Note 10+

  • Phone Finder

A Hacker Was Awarded $75,000 As Bug Bounty After Reporting Safari Bugs To Apple

Anil - Apr 06, 2020

A Hacker Was Awarded $75,000 As Bug Bounty After Reporting Safari Bugs To Apple

Apple's Safari browser recently turned out to be a fatal vulnerability.

  • Apple Kills Original HomePod, Focusing On HomePod Mini
  • iPhone 12 Color Is Fading Away Quickly And No One Knows Why
  • Apple Sues Ex-Employee For Stealing Company’s Secrets To The Media

Many of us have been so obsessed with the idea of having an Apple device because of its outstanding performance as well as security layers. However, the Safari browser, which comes along with several Apple-branded products such as iPhone, iPad, MacBook, etc… by default, recently turned out to be a fatal vulnerability as it allows cybercrimes to gain access to the webcam and microphone on these devices. In fact, an ethical hacker has been awarded a total of $75,000 as a bug bounty after discovering such zero-day vulnerability for the tech giant.

Safari 1

The hacker given credit for his work is Ryan Pickren. Forbes said in a report that Ryan revealed a batch of zero-day flaws in Safari, and this is the first time he received money from Apple.

Ryan said he was much interested in collaborating with Apple’s inbound team when it comes to figuring out these issues. He believed that this kind of bounty programs will make everything better for the security of both Apple’s products and its customers, considering this will boost the overall security level with the help of the research community.

Safari 2

Ryan Pickren first announced his discovery to Apple in December. It’s claimed that some of these bugs give hackers the ability to take control of Apple users’ microphones and cameras once they are tricked into visiting malicious websites without permitting a particular site to access the mic or camera. After being notified about these flaws, Apple already launched an important patch for Safari in a new update on January 28.

>>>  Got The New iPad Pro? You Must Get These Accessories Too

Sort by Newest | Popular

Featured Stories

PDF Prodigy: Expert Techniques for Editing

ICT News - Jan 18, 2024

PDF Prodigy: Expert Techniques for Editing

The Psychology of Casino Game Design

ICT News - Aug 03, 2023

The Psychology of Casino Game Design

3 Reasons your privacy gets compromised online

ICT News - May 17, 2022

3 Reasons your privacy gets compromised online

Apple Devices For Sale

ICT News - May 11, 2022

Apple Devices For Sale

Pin-Up Review India 2022

ICT News - Apr 12, 2022

Pin-Up Review India 2022

Choosing between a shared and a dedicated server for gaming

ICT News - Mar 29, 2022

Choosing between a shared and a dedicated server for gaming

How The Internet Came Into Being

ICT News - Mar 18, 2022

How The Internet Came Into Being

The Best Gaming Tech of 2022

ICT News - Mar 17, 2022

The Best Gaming Tech of 2022

Technologies that enable the development of online casinos with live dealers

ICT News - Feb 16, 2022

Technologies that enable the development of online casinos with live dealers

Remember These Safety Measures While Playing at an Online Casino

ICT News - Feb 08, 2022

Remember These Safety Measures While Playing at an Online Casino

safari bug bounty

BleepingComputer.com logo

Apple releases Safari 15.6.1 to fix zero-day bug used in attacks

Lawrence abrams.

  • August 18, 2022

Apple fixes another zero-day used to deploy NSO iPhone spyware

Apple has released Safari 15.6.1 for macOS Big Sur and Catalina to fix a zero-day vulnerability exploited in the wild to hack Macs.

The zero-day patched today (CVE-2022-32893) is an out-of-bounds write issue in WebKit that could allow a threat actor to execute code remotely on a vulnerable device.

"Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited," warns Apple in a  security bulletin  released today.

An out-of-bounds write vulnerability is when an attacker can supply input to a program that causes it to write data past the end or before the beginning of a memory buffer.

This causes the program to crash, corrupt data, or in the worst-case scenario, remote code execution. Apple says they fixed the bug through improved bounds checking.

Apple says the vulnerability was disclosed by a researcher who wishes to remain anonymous.

This zero-day vulnerability is the  same one that was patched by Apple yesterday  for macOS Monterey and iPhone/iPads.

Apple has not provided details on how the vulnerability is being used in attacks other than saying that it "may have been actively exploited."

This is the seventh zero-day vulnerability fixed by Apple in 2022, with the previous bugs outlined below:

  • In March, Apple  patched two more zero-day bugs  that were used in the Intel Graphics Driver (CVE-2022-22674) and AppleAVD (CVE-2022-22675).
  • In January,  Apple patched two more actively exploited zero-days  that allowed attackers to execute code with kernel privileges (CVE-2022-22587) and track web browsing activity (CVE-2022-22594).
  • In February, Apple released security updates  to fix a new zero-day bug  exploited to hack iPhones, iPads, and Macs.

Related Articles:

Hackers exploit Aiohttp bug to find vulnerable networks

Brave: Sharp increase in installs after iOS DMA update in EU

Apple fixes two new iOS zero-days exploited in attacks on iPhones

Hackers exploit critical RCE flaw in Bricks WordPress site builder

Hackers exploit Ivanti SSRF flaw to deploy new DSLog backdoor

  • Actively Exploited
  • Vulnerability
  • Web Browser
  • Previous Article
  • Next Article

Post a Comment Community Rules

You need to login in order to post a comment.

Not a member yet? Register Now

You may also like:

Dracula SMS

New Darcula phishing service targets iPhone users via iMessage

SharePoint

CISA tags Microsoft SharePoint RCE bug as actively exploited

Sign in with Twitter button

Help us understand the problem. What is going on with this comment?

  • Abusive or Harmful
  • Inappropriate content
  • Strong language

Read our posting guidelinese to learn what content is prohibited.

  • GTA 5 Cheats
  • What is Discord?
  • Find a Lost Phone
  • Upcoming Movies
  • Nintendo Switch 2
  • Best YouTube TV Alternatives
  • How to Recall an Email in Outlook

Apple plays catch-up with a bug bounty program coming in September

Julian Chokkattu

Announced at the Black Hat conference, Apple will unveil a program in September that will offer a cash reward for people who discover exploits and vulnerabilities in its suite of products, according to TechCrunch . The program will focus on Apple’s most recent products, meaning iOS 10 and the new devices rumored to launch in the fall.

Offering a cash reward is a popular method of squashing bugs and closing loopholes in software and hardware these days. It’s so popular, the Department of Defense launched a “ Hack the Pentagon ” program with a $150,000 bounty budget. Google recently said it’s increasing  its bug bounty for Android up to 50 percent above what it currently offers.

  • ChatGPT creator launches bug bounty program with cash rewards
  • Apple Security Research website launches to protect your Mac
  • Homeland Security bug bounty reveals huge number of flaws

The bugs have been sorted into five categories: exploits in secure boot firmware components; extracting data from Secure Enclave; executing arbitrary or malicious code with kernel privileges; access to iCloud account data on Apple servers; and access from a sandboxed process to user data outside the sandbox.

The rewards range between $200,000 and $20,000. In an unusual move, Apple will encourage people who receive rewards to donate them to charity, and the Cupertino company will match donations to approved institutions.

Apple’s move may have been a direct consequence of the San Bernardino shootings in December 2015. The shooter left behind a locked iPhone, and while Apple initially aided the investigation, the Cupertino company refused a court order that demanded backdoor access into the iPhone. This prompted an encryption battle between the U.S. Department of Justice and the Cupertino company, which eventually led to the FBI purchasing a method to hack the iPhone from third-party hackers.

The program will start as invitation-only so as to eliminate a flood of fake submissions, but if a party discloses an important bug to Apple they will be invited into the program.

Editors' Recommendations

  • Even Intel’s best chips won’t catch up with Apple, TSMC CEO says
  • This major Apple bug could let hackers steal your photos and wipe your device
  • Apple’s powerful M2 chip may come to the iPad Pro this September
  • Apple’s iOS 15.3 update fixes critical Safari security bug
  • iPhone 13 and new iPads hit by Apple Music bug

Julian Chokkattu

Apple’s new hacker-friendly iPhones offer security researchers unrestricted access to devices so that they can easily hunt down vulnerabilities and bugs. But Ben Hawkes, technical lead at Project Zero, a team at Google tasked with discovering security flaws, says he’s “pretty disappointed” with Apple’s latest security program.

Hawkes, in a Twitter thread, said that its team won’t be able to take advantage of Apple’s “Security Research Device” (SRD) iPhones since it appears to exclude security groups that have a policy to publish their findings in three months.

Sony is inviting one and all to hunt down bugs on its PlayStation platform for some potentially big cash payouts.

The entertainment giant has actually had a bug bounty program in place for some time, but operated it privately with select researchers. This week’s announcement means the program is now open to everyone, including “the security research community, gamers, and anyone else,” Geoff Norton, Sony’s senior director of software engineering, wrote in a blog post about the expansion.

Apple awarded $75,000 to a hacker who discovered exploits that allowed him to hijack the cameras of iPhones and Macs.

Security researcher and former Amazon Web Services security engineer Ryan Pickren disclosed at least seven zero-day vulnerabilities in Safari to Apple, according to Forbes. Three of these vulnerabilities may be used to hijack the cameras of iOS and macOS devices.

Apple Pays $100.5K Bug Bounty for Mac Webcam Hack

Apple webcam

Share this article:

The researcher found that he could gain unauthorized camera access via a shared iCloud document that could also “hack every website you’ve ever visited.”

A researcher who showed Apple how its webcams can be hijacked via a universal cross-site scripting bug (UXSS) Safari bug has been awarded what is  reportedly a record $100,500 bug bounty. The bug could be used by an adversary as part of an attack to gain full access to every website ever visited by the victim.

The bug-finder is Ryan Pickren, founder of proof-of-concept sharing platform BugPoC and a former Amazon Web Services security engineer. This isn’t the first time he’s found bugs that let him hoodwink Apple’s cameras: In 2020, he discovered vulnerabilities in the Safari browser that could be used to snoop on iPhones, iPads and Mac computers using their microphones and cameras, just by convincing a target to click one malicious link.

Great research once again from Ryan Pickren for those looking for Apple bugs: Gaining unauthorized camera access via Safari UXSS https://t.co/SP8duGpq8T — Jon Bottarini (@jon_bottarini) January 25, 2022

This time around, according to Pickren , he found a series of flaws – in Safari 15 and iCloud Sharing – that could again lead to unauthorized camera access, which would again allow an attack to be launched from a malicious site.

Infosec Insiders Newsletter

But his more recent find is worse: It could also enable a shared iCloud document to “hack every website you’ve ever visited,” he said, and could steal permissions to use multimedia – in other words, the microphone, camera and screensharing.

Pickren reported that the same hack could result in an attacker gaining full access to a device’s entire filesystem, by exploiting Safari’s webarchive files, which are the files Safari creates as an alternative to HTML when it saves a website locally.

Pickren submitted the bugs to Apple last July. The iPhone-maker patched the issues earlier this month and subsequently awarded the $100,500 bug bounty to Pickren.

The issues are found in ShareBear, a behind-the-scenes iCloud file-sharing app that prompts users when they try to open a shared document for the first time – and only the first time. Since users aren’t presented with the display again once they’ve accepted the prompt to open the file, Pickren found that anyone who has access to the file can alter the file’s content after that occurs.

“ShareBear will then download and update the file on the victim’s machine without any user interaction or notification,” Pickren explained in his technical write-up. “In essence, the victim has given the attacker permission to plant a polymorphic file onto their machine and the permission to remotely launch it at any moment.”

These three steps are involved in using ShareBear to download and open a webarchive file:

  • Trick the victim into giving permission to plant the polymorphic file;
  • Turn an image file with a .PNG format – he gave the example of puppies.png – into an executable binary (“evil.dmg) after a user has agreed to open it and then to open it;
  • The binary triggers an exploit chain that leverages other flaws discovered in Safari in order to take over the machine’s microphone or webcam, or even to steal local files.

safari bug bounty

Stages of ShareBear attack. Source: Ryan Pickren.

Pickren identified four zero-day bugs, the following of which have received CVE tracking numbers:

  • CVE-2021-30861 : A logic issue in Webkit, rated at 5.5 in criticality, that Apple addressed with improved state management in macOS Monterey 12.0.1 . The bug could allow a malicious application to bypass checks done by Gatekeeper : a macOS security feature that attempts to reduce the likelihood of inadvertently executing malware by enforcing code signing and verifying downloaded applications before allowing them to run.
  • CVE-2021-30975 : An issue in macOS Monterey’s Script Editor with a base criticality score of High – 8.6 – that may allow a malicious OSAX scripting addition to bypass Gatekeeper checks and circumvent sandbox restrictions. Apple addressed the issue by disabling execution of JavaScript when viewing a scripting dictionary.

“This project was an interesting exploration of how a design flaw in one application can enable a variety of other, unrelated, bugs to become more dangerous,” Pickren concluded. “It was also a great example of how even with macOS Gatekeeper enabled, an attacker can still achieve a lot of mischief by tricking approved apps into doing malicious things.”

Check out our free upcoming live and on-demand online town halls – unique, dynamic discussions with cybersecurity experts and the Threatpost community.

Suggested articles

safari bug bounty

Ransomware Attacks are on the Rise

Lockbit is by far this summer’s most prolific ransomware group, trailed by two offshoots of the Conti group.

IoT Cybersecurity Improvement Act

Cybercriminals Are Selling Access to Chinese Surveillance Cameras

Tens of thousands of cameras have failed to patch a critical, 11-month-old CVE, leaving thousands of organizations exposed.

safari bug bounty

Firewall Bug Under Active Attack Triggers CISA Warning

CISA is warning that Palo Alto Networks’ PAN-OS is under active attack and needs to be patched ASAP.

Cybersecurity for your growing business

InfoSec Insider

safari bug bounty

Securing Your Move to the Hybrid Cloud

safari bug bounty

Why Physical Security Maintenance Should Never Be an Afterthought

safari bug bounty

Conti’s Reign of Chaos: Costa Rica in the Crosshairs

safari bug bounty

How War Impacts Cyber Insurance

Cutting Through the Noise from Daily Alerts

Rethinking Vulnerability Management in a Heightened Threat Landscape

Cybersecurity for your growing business

  • Cloud Security
  • Vulnerabilities
  • Critical Infrastructure
  • Cryptography
  • Mobile Security
  • Security Analyst Summit
  • Web Security
  • Elizabeth Montalbano
  • Nate Nelson

Infosec Insider Post

Infosec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.

Sponsored Content

Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.

safari bug bounty

Hacking the Apple Webcam (again)

Gaining unauthorized camera access via Safari UXSS: the story of how a shared iCloud document can hack every website you've ever visited.

Ryan Pickren

It's been over a year since my last Apple camera hacking project , so I decided to give it another go.

My hack successfully gained unauthorized camera access by exploiting a series of issues with iCloud Sharing and Safari 15. While this bug does require the victim to click "open" on a popup from my website, it results in more than just multimedia permission hijacking. This time, the bug gives the attacker full access to every website ever visited by the victim. That means in addition to turning on your camera, my bug can also hack your iCloud, PayPal, Facebook, Gmail, etc. accounts too.

This research resulted in 4 0day bugs (CVE-2021-30861, CVE-2021-30975, and two without CVEs), 2 of which were used in the camera hack. I reported this chain to Apple and was awarded $100,500 as a bounty.

Safari UXSS

Apple fixed my last 0day chain (CVE-2020-3852 + CVE-2020-3864 + CVE-2020-3865) by making camera access drastically more difficult. Now multimedia access is only allowed when the protocol is "https:" and the domain matches your saved settings. This means that cleverly malformed URIs won't cut it anymore. Now we need to genuinely inject our evil code into the target origin.  In other words, we need to find a  Universal Cross-Site Scripting (UXSS)  bug.

But what exactly is UXSS? Google Project Zero has a nice summary in their paper, " Analysis of UXSS exploits and mitigations in Chromium " - 

"UXSS attacks exploit vulnerabilities in the browser itself [...] to achieve an XSS condition. As a result, the attacker does not just get access to user session on a single website, but may get access to any [website]."

The authors of this paper go on to call UXSS " among the most significant threats for users of any browser " and " almost as valuable as a ​Remote Code Execution​ (RCE) exploit with the sandbox escape ." Sounds pretty great, right? Imagine building a website that can jump into https://zoom.com to turn on the camera, hop into https://paypal.com to transfer money, and hijack https://gmail.com to steal emails. 

Before we go any further, I should clarify how exactly this bug differs from my last  Safari Camera Hacking project . That bug specifically targeted stored multimedia permissions. It did not give me the ability to execute code on arbitrary origins. Check out my  attack diagram to see which origins were being used. In other words, that hack let me leverage Skype's camera permission but did not let me steal Skype's cookies. 

Let's try to find a UXSS bug in the latest version of Safari ( Safari v15 beta at time of writing). As always, the first step is to do a lot of research into prior work. After all, the best security research comes from standing on the shoulders of giants .

The Attack Plan

After reading numerous write-ups about patched Safari UXSS bugs, I decided to focus my research on webarchive files. These files are created by Safari as an alternative to HTML when a user saves a website locally.

Screen Shot 2021-08-12 at 10.43.16 AM.png

Safari saving a website as a Webarchive file

A startling feature of these files is that they specify the web origin that the content should be rendered in.

Apple Webarchive File Format

Webarchive File Format

This is an awesome trick to let Safari rebuild the context of the saved website, but as the Metasploit authors  pointed out  back in 2013, if an attacker can somehow modify this file, they could effectively achieve UXSS by-design.

According to Metasploit , Apple did not view this attack scenario as very realistic because " the webarchives must be downloaded and manually opened by the client ." Granted this decision was made nearly a decade ago, when the browser  security model wasn't nearly as mature as it is today.

Apple's decision to support this ultra-powerful filetype gave way to an era of hackers trying to forcefully open them on victims' machines. Fundamentally, this attack can be broken into two steps:

1) Forcefully download an evil webarchive file

2) Forcefully open it

Until recently, there were no protections to prevent step #1. Prior to Safari 13, no warnings were even displayed to the user before a website downloaded arbitrary files. So planting the webarchive file was easy. ( Now with Safari 13+ , users are prompted before each download)

Opening the webarchive file was trickier, but still manageable by somehow navigating to the file:// URI scheme. Back when Safari's error pages lived on the file:// scheme, hackers figured out how to purposely invoke an error page to just alter its pathname, a hack delightfully dubbed " Errorjacking ." See here and here for two variations. Another approach that worked back in the day was to simply set the <base> tag to file://.

Fast forward to 2022 and things get a lot harder. Not only are auto-downloads prevented by default, but webarchive files are considered malicious applications by macOS Gatekeeper . This means that users can't even manually open foreign webarchives themselves anymore. Apple seems to have changed their 2013 stance about how dangerous these files can be.

Screen Shot 2021-08-12 at 1.17.50 PM.png

Download prompt in Safari 13+

Gatekeeper Webarchive Prompt

Gatekeeper Launch Prevention

Still, webarchive files just seem too juicy to give up on. Let's explore how this old-school hack can still occur on the latest Safari and macOS builds.

Exploration of custom URI Schemes

I found success with my last  Safari Camera Hacking project  by conducting a deep dive into official IANA-registered URI schemes . This project was heavily guided by RFCs and public documentation. But there is an entire world of custom URL schemes that I neglected to talk about. These unofficial and (mostly) undocumented  schemes are usually used by third party iOS/macOS apps as a form of deep linking. There is actually an entire community built around discovering and using these schemes cross-app for both fun  and hacking projects.

An interesting note is that several first-party system apps such as Apple Help Viewer (help://), FaceTime (facetime-audio://), and Apple Feedback (applefeedback://) also support custom URI schemes. Abusing these schemes from a website in Safari is not a novel technique. Indeed, hackers have been finding ways to use custom schemes to launch (and exploit bugs in) system applications for a while now. Hacks range from annoyingly placing calls , aiding in social engineering , to  arbitrary file execution . Seriously, there is some awesome research in this space.

To help combat these attacks, modern versions of Safari warn the user before blindly launching secondary applications. That is, unless they are one of the hardcoded exceptions identified in this great Blackhat presentation . 

Screen Shot 2021-08-12 at 2.33.07 PM.png

Custom URI Schemes that Safari will launch without Prompt

All of these schemes are registered with Launch Services , so you can list them (and others) via this command:

/System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/LaunchServices.framework/Versions/A/Support/lsregister -dump | grep -B6 bindings:.*: | grep -B6 apple-internal

After digging through internal Apple schemes and cross-referencing them with the ones trusted by Safari, I found one that caught my eye- "icloud-sharing:". This scheme appears to be  registered by an iCloud Sharing Application called "ShareBear."

Screen Shot 2021-08-12 at 2.38.00 PM.png

LaunchServices data about the icloud-sharing: scheme

ShareBear was interesting to me because sharing iCloud documents seemed like a plausible path towards downloading & launching webarchive files. I couldn't find any publicly available documentation or research about this scheme so I just started poking at it myself.

ShareBear Application

At this point ​we have identified an application that can be automatically launched by Safari, however we do not know how to correctly open it yet. Luckily, it was pretty straight forward.

Some quick research shows that iCloud File Sharing can generate a public Share Link.

d69b081b8b7300b9da7fe35cb6fdaad1.png

Creating a public iCloud Share Link

These Share Links look something like this:

https://www.icloud.com/iclouddrive/01fooriERbarZSTfikqmwQAem

Simply replacing "https" with "icloud-sharing" is all that's needed to have Safari automatically open ShareBear with this file as a parameter. 

<script>​

location.href = 'icloud-sharing:// www.icloud.com/iclouddrive/01fooriERbarZSTfikqmwQAem"

</script>

Great, so what does ShareBear do now? Some quick testing showed this behavior:

sharebear.png

ShareBear Behavior Flowchart

There is a subtle, but wildly impactful, design flaw with this behavior. Let's dig into what happens if the user has not opened this file before. The user will be shown a prompt, similar to the one below.

propt.png

ShareBear Open Prompt

This innocuous little prompt, with the default value of "Open," seems pretty straightforward. A user should expect to have the image, example.png , opened if they agree. But in actuality, they are agreeing to much more than that.

Once the user clicks Open, the file is downloaded onto the victim's machine at the location /Users/<user>/ Library/Mobile Documents/com~apple~CloudDocs  then automatically opened via Launch Services. Then the user will never see this prompt again. From that point forward, ShareBear (and thus any website in Safari) will have the ability to automatically launch this file. The truly problematic part of this agreement is that the file can be changed by anybody with write access to it. For example, the owner of the file could change the entire byte content and file extension after you agree to open it. ShareBear will then download and update the file on the victim's machine without any user interaction or notification.

In essence, the victim has given the attacker permission to plant a polymorphic file onto their machine and  the permission to remotely launch it at any moment. Yikes.

Agreed to view my PNG file yesterday? Well today it's an executable binary that will be automatically launched whenever I want.

Apple fixed this behavior in  macOS Monterey 12.0.1  as a result of my report without issuing a CVE because it is more of a design flaw than a bug per-se.

Bonus Bug: Iframe Sandbox Escape

While fuzzing the icloud-sharing:// scheme, I stumbled upon a fun bug unrelated to the UXSS hunt. ShareBear appears to check the path of the URL for " /iclouddrive/* " before performing the behavior outlined above. If the path happens to be " /photos/* " then ShareBear makes a pretty silly mistake. It will tell Safari to open a new tab pointing to the iCloud web app... but it does not verify that the domain name is actually the iCloud web app.

In normal operation, the user is simply presented with the website, " https://photos.icloud.com ." However because this domain name is never validated, we can trick ShareBear into instructing Safari into opening a new tab to any website.

The implications of this behavior may not be obvious. This doesn't seem all that different than just calling window.open(' https://example.com ') normally. However there are situations in the web where websites aren't allowed to do that. One example is if popup blocker is enabled. Another, more devious, example is when your website is inside of a sandboxed iframe .

The sandbox  iframe attribute is typically used when you want to embed untrusted 3rd party content on your website. For example, you may want to display an ad banner on your blog but you don't want this ad to be able to run JavaScript (who knows, maybe the ad author has a browser 0day).

iframe-sandbox.png

An important rule for sandboxed iframes is that new windows opened from that iframe should inherit the same restrictions as the iframe itself. Otherwise escaping the sandbox would be as trivial as opening a popup.

Well this bug tricks Safari into opening a 'fresh' new tab without any sandbox restrictions!

<html>    

  <head>      

    <meta http-equiv="refresh" content="0;URL='icloud-sharing://example.com/photos/foo'" />    

  </head>     

</html>

Website trapped in a Sandboxed Iframe

So ShareBear neglecting to verify the domain gives us an easy popup-blocker bypass and an iframe sandbox escape. Nice! (fixed in Safari 15.2 without being assigned a CVE) Live demo on BugPoC -  https://bugpoc.com/poc#bp-S4HH6YcO  PoC ID:  bp-S4HH6YcO , Password:  loVEDsquId01 . Note this demo will only work with Safari <15.2 pre macOS Monterey 12.1.

Now back to the Camera/UXSS hunt.

Quarantine  and Gatekeeper

Quick reminder of where we are -

Our website can prompt the user to open a shared PNG file. If the user agrees, we can automatically launch this file at any point in the future, even after we alter the file content and extension.

staging.png

The attacker can then modify the file on his own machine and ShareBear will take care of updating it on the victim's machine.

Attacker's Machine

Victim's Machine

Mutating the Polymorphic File

The attacker's website can then automatically launch this newly-updated file using the same icloud-sharing:// URL that he used to display the original prompt.

launching.png

This seems very close to our goal of forcefully downloading & opening an evil webarchive file. We can just swap out the content of puppy.png for a webarchive file and rename it "evil.webarchive", right? Unfortunately for us, pesky macOS Gatekeeper won't allow that.

Screen Shot 2021-08-12 at 1.19.38 PM.png

It appears that ShareBear correctly gives downloaded files the ' com.apple.quarantine ' attribute and according to Apple , " Gatekeeper prevents quarantined executable files and other similar files (shell scripts, web archives , and so on) from opening or executing ." For a deep dive into how macOS treats this attribute, as well as how Gatekeeper performs code signing, check out this great write-up.

For our purposes, there are two big limitations introduced by this OS protection -

1) We can't run our own apps  

2) We can't directly open webarchive files

Side Bar - while we can't run our own apps, launching existing, approved, apps is trivial. Just use a fileloc to point to a local app (this technique is quite common ). This attack is sometimes referred to as " Arbitrary File Execution " and is often misunderstood because it looks so scary.

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<plist version="1.0">

<dict>

    <key>URL</key>

    <string>file:///System/Applications/Calculator.app</string>

</dict>

</plist>

fileloc pointing to macOS Calculator

Using the icloud-sharing:// scheme to launch the fileloc

While this attack might look scary, launching an already-approved app doesn't have much impact. Let's focus on opening webarchives.

The above technique to open local apps is reminiscent of an old-school  symlink attack . It basically just uses a " shortcut " to trick software into opening something it doesn't expect.

Lots of different operating systems and applications have reinvented the wheel over the years when it comes to shortcuts. Nowadays, the term "shortcut" could be referring to a Unix symlink, a macOS alias, a Window's linkfile, a Safari webloc, an Edge bookmark, etc. 

I was hopeful that I could use this technique to bypass Gatekeeper and open a webarchive file. This idea seemed promising to me because the actual application I want to open is Safari (an existing, approved, application). Gatekeeper doesn't have a problem with me launching Safari, it just gets upset when I attempt to open any file ending in " .webarchive ".

So I needed to find a shortcut filetype that launches Safari, then tells Safari to open a different file. After some trial and error, I found just that - the ancient Windows URL File !

[{000214A0-0000-0000-C000-000000000046}]

[InternetShortcut]

URL=file:///path/to/webarchive

evil.url file pointing to a local webarchive

Launching evil.url  successfully opens Safari and instructs it to load the webarchive file without asking Gatekeeper for permission! (CVE-2021-30861) There was only one small hiccup - I need to know the full path to the webarchive file. Assuming the webarchive gets downloaded via ShareBear, it will live in /Users/<user>/ Library/Mobile Documents/com~apple~CloudDocs , which includes the victim's username (not a very scalable attack).

Luckily, there is a neat trick to circumvent this requirement - we can mount the webarchive file into the known /Volumes/ directory using a DMG file.

Using the icloud-sharing:// scheme to mount the dmg

Now we know exactly where the webarchive file resides. Which means the below evil.url file will work every time.

URL=file:///Volumes/folder/evil.webarchive

evil.url file pointing to a known-location local webarchive

Using the icloud-sharing:// scheme to launch evil.url to open evil.webarchive

And just like that, we are executing JavaScript code anywhere we want. The above screen recording injects ' alert(origin) ' in https://google.com .

Let's tie this together into one final attack.

Using ShareBear to download and open a webarchive file for us can be broken down into 3 steps:

1) Trick the victim into giving us permission to plant the polymorphic file

staging.png

2) Turn puppies.png into  evil.dmg  and launch it

mount.png

3) Turn evil.dmg into  evil.url  and launch it

urlfile.png

Of course turning "File A" into three different payloads will require some server-side coordination. Another (less fun) way to pull-off this attack is to have the victim agree to open a shared folder  that already has all the files ready-to-go.

Screen Recording of UXSS via viewing an iCloud Shared Folder

In the above screen recording, the victim agrees to view a folder that contains some PNG images. This folder also has two hidden files - .evil.dmg & .evil.url.

The website uses the icloud-sharing:// URL Scheme to automatically launch both of the hidden files to successfully bypass Gatekeeper and open a webarchive file. Note that no additional prompts are displayed to the victim after he agrees to view the shared folder. The example webarchive file above injects code into https://www.icloud.com to exfiltrate the victim's iOS camera roll.

Of course this is just an example, this UXSS attack allows the attacker to inject arbitrary code into  arbitrary  origins. It would be just as easy to inject JavaScript code to turn on the webcam when hijacking a trusted video chat website like https://zoom.us or https://facetime.apple.com . Mission accomplished. 

Ryan Pickren hacked Apple Webcam

Screenshot of UXSS hijacking Zoom Website to turn on webcam

Remediation

So how did Apple fix these issues?

The first fix was to have ShareBear just  reveal  files instead of launch  them (fixed in  macOS Monterey 12.0.1  without being assigned a CVE). 

The second fix was to prevent WebKit from opening any quarantined files (fixed in Safari 15 as CVE-2021-30861; see fix implementation here ).

Bonus Material (#1)

Before I discovered the evil.url trick, I actually found a different way to trick Launch Services into (indirectly) opening a webarchive file. I found this bug on the latest public release of Safari (v14.1.1). A few days after reporting this bug to Apple, they informed me that the beta Safari v15 was not vulnerable. It appeared that an unrelated code refactor made v15 impervious. For completeness sake, I will quickly go over that bug anyway- 

The obvious way to open Safari via Launch Services is with a local html file. Once opened, this page will have the file:// URI scheme. From there, JavaScript is allowed to navigate to other file:// URIs.

<script>

location.href = 'file:///path/to/another/local/file'; // ok if location.protocol == 'file://'

local HTML file navigating to another local file

So what happens if the file we are navigating to is a webarchive? Well, Safari just hangs.

Screen Recording of Safari refusing to render a webarchive

This annoying hang occurred for every type of page navigation I could think of (anchor href, iframe src, meta redirect, etc.) when the destination file was a webarchive. 

Then I found this bug:

location.href = 'file://fake.com/path/to/evil.webarchive'; 

local HTML file navigating to a local webarchive file

Safari forgets to perform the webarchive check when there is a host value in a file:// URL! Funny enough, this bug appears to have been introduced when Apple fixed my old file:// bug (CVE-2020-3885) .

When Apple informed me that Safari Beta v15 wasn't vulnerable, I went back to the drawing board and found the evil.url hack.

Bonus Material (#2)

There was still one thing that bugged me after I finished the UXSS chain.... it can't be used to steal local files. Sure, UXSS can be used to indirectly steal files by injecting code into https://dropbox.com or https://drive.google.com , but files exclusively on the victim's hard drive are out of reach. 

The excellent Blackhat Presentation I referenced earlier inspired me to look for other System applications that could run my JavaScript in a more privileged context than Safari. After digging around for a while, I stumbled upon an obscure filetype recognized my macOS Script Editor called " Scripting Additions " (.osax). These files (or rather ' bundles ') contained a nested xml-based file called a "Dictionary Document" (.sdef). This dictionary document was used to display human-readable, developer-defined, terms used by an AppleScript application. Phew.

The important discovery was that these xml-based files are allowed to contain HTML. As it turns out, the HTML renderer also has a JavaScript engine and this engine does not enforce SOP! (fixed in macOS Big Sur 11.6.2 as  CVE-2021-30975 ) Which means stealing /etc/passwd is easy-

<!DOCTYPE dictionary SYSTEM "">

<dictionary>

    <suite name="" code="">

        <command name="" code="" description="">

        </command>

            <documentation>

            <html>

                <![CDATA[

                    <script>

                        fetch('file:///etc/passwd').then(x=>{x.text().then(y=>{document.write(y);})})

                    </script>

                ]]>

            </html>

            </documentation>

    </suite>

</dictionary>

evil.sdef displaying the content of /etc/passwd

Luckily for us, Gatekeeper does not mind us opening Scripting Addition files. So we just take evil.sdef , package it in evil.osax , and send it to the victim via ShareBear. Then our  icloud-sharing:// URI can automatically launch it in Script Editor.

Screen Recording of ShareBear opening evil.osax to steal /etc/passwd

Nice, so now in addition to UXSS, this hack can also circumvent sandbox restrictions and steal local files!

This project was an interesting exploration of how a design flaw in one application can enable a variety of other, unrelated, bugs to become more dangerous. It was also great example of how even with macOS Gatekeeper enabled, an attacker can still achieve a lot of mischief by tricking approved apps into doing malicious things.  

I submitted these bugs to Apple in mid July 2021. They patched all issues in early 2022 and rewarded me $100,500 as a bounty.

6th Edition of the Hacker Powered Security Report  is available for download Get your copy today!

What Are Bug Bounties and How Do They Work?

Sign that says the word &quot;hack&quot;

Bug bounty is a cybersecurity method that empowers organizations to minimize their threat exposure by leaning on the expertise of a community of ethical hackers. Let's explain what bug bounty is and how it works step-by-step with examples from real organizations using bug bounty programs.

How Do Bug Bounties Work?

Companies create bug bounties to provide financial incentives to independent bug bounty hunters who discover security vulnerabilities and weaknesses in systems. When bounty hunters report valid bugs, companies pay them for discovering security gaps before bad actors do.

What Is a Bug Bounty?

A bug bounty is a monetary reward given to ethical hackers for successfully discovering and reporting a vulnerability or bug to the application's developer. Bug bounty programs allow companies to leverage the hacker community to improve their systems’ security posture over time continuously.

Hackers around the world hunt bugs and, in some cases, earn full-time incomes . Bounty programs attract a wide range of hackers with varying skill sets and expertise giving businesses an advantage over tests that may use less experienced security teams to identify vulnerabilities.

Bounty programs often complement regular penetration testing and provide a way for organizations to test their applications’ security throughout their development life cycles.

How Does a Bug Bounty Program Work?

Businesses starting bounty programs must first set the scope and budget for their programs. A scope defines what systems a hacker can test and outlines how a test is conducted. For example, some organizations keep certain domains off-limits or include that testing causes no impact on day-to-day business operations. This allows them to implement security testing without compromising overall organizational efficiencies, productivity, and ultimately, the bottom line.

Bug bounties with competitive payouts tell the hacking community companies are serious about vulnerability disclosure and security.  Programs base reward levels on the severity of vulnerabilities, and rewards increase as the potential impact increases.

Money isn’t the hacker community’s only motivation. Systems like leaderboards that credit hackers for discoveries help them build recognition.

Once a hacker discovers a bug, they fill out a disclosure report that details exactly what the bug is, how it impacts the application, and what level of severity it ranks. The hacker includes key steps and details to help developers replicate and validate the bug. Once the developers review and confirm the bug, the company pays the bounty to the hacker.

Payouts vary based on severity and range from a few thousand dollars up to millions of dollars depending on the company and the bug’s potential impact. Developers will prioritize incoming bug reports based on severity and work to resolve the bug. After fixing the bug, developers retest to confirm issue resolution.  

Bug Bounty Program Examples

Some of the biggest brands around the world use bounty programs to keep their applications and customers safe. Below are three examples of companies that use HackerOne to run their bounty programs.

Yelp connects searchers to great local businesses worldwide. Yelp has used HackerOne since 2014 to manage its bounty program . Seeing the value in the hacker community, Yelp has tens of different domains in scope, including everything from mobile apps to email systems. To date, Yelp has used its bug bounty program to fix over 300 vulnerabilities and continues to add new applications and domains to its roadmap. 

In 2023, a member of HackerOne’s hacker community, @lil_endian , discovered a vulnerability in yelp.com that could allow persistent cross-site scripting and account takeover. The vulnerabilities impacted account security and could enable unauthorized access to user data, putting Yelp and its user’s data at a high risk of exploitation. The vulnerability was classified as "high" severity, and the hacker received a $6,000 bounty for their report.

KAYAK empowers its users to compare hundreds of travel sites at once. Having launched its bug bounty program in 2022, KAYAK has already paid out over $150,000 in bounties. 

While researching zero-day vulnerabilities in mobile applications, the hacker @retr02332 found it was possible for an attacker to gain unauthorized access to the victim's KAYAK account, view their personal information, and perform account actions as the victim — all in one click. Naturally, this kind of vulnerability is considered very important and was classified as a "critical" severity of 9.3.

Basecamp is a leading online project management system, and since launching their bug bounty program with HackerOne in 2020, they've paid out over $300,000 in bounties. 

A high-severity vulnerability was reported by hacker @neex that allows a malicious actor to gain access to sensitive information such as AWS keys and user cookies from Basecamp servers. Leaked user cookies could have led to account hijacking and unauthorized access to user data and accounts on Basecamp. The hacker received a $8,868 bounty from Basecamp for their report.

How Can I Set Up My Own Bug Bounty Program?

Traditionally, setting up a bug bounty program required companies to build their communication platform, implement bug-tracking systems, and integrate into payment gateways. Now, setting up a bug bounty program is a simple process through HackerOne. The HackerOne platform allows organizations to set their scope, track bug reports, and manage payouts from one location.

Detailed reporting metrics give security teams a live look into their bug bounty programs' progress and allow companies to promptly set customized SLAs to resolve new disclosures.

How HackerOne Can Help

HackerOne harnesses the world’s largest and most diverse community of hackers to help keep businesses safe by providing an all-in-one platform to perform continuous and comprehensive security testing. The platform takes a streamlined approach to finding and remediating bugs while supporting everything from disclosure to payout in a single dashboard.

HackerOne is the world's largest hacker-powered security platform. Contact us today to learn more about launching your first bug bounty program. 

Related Content

How to use your bug bounty budget efficiently, 5 common mistakes when running a bug bounty program, mercado libre’s journey to a public bug bounty program.

The 7th Annual Hacker-Powered Security Report

Hacker-Powered Security Report

  • Trending Now
  • Foundational Courses
  • Data Science
  • Practice Problem
  • Machine Learning
  • System Design
  • DevOps Tutorial
  • Web Browser
  • Top 10 Security Risks in Web Applications
  • 6 Best Practices to Perform a Cybersecurity Audit
  • 8 Useful Firefox Extensions For Ethical Hacking and Security Research
  • Can a Bird Eye View on Phishing Emails Reduce it Potentially?
  • Top 6 Cybersecurity Projects Ideas for Beginners
  • Top Information Security Attack Vectors
  • Top 5 Reasons to Learn Ethical Hacking
  • How to Maintain Your Privacy Online?
  • Top 10 Cybersecurity Tools That You Should Know
  • Top 10 Cyber Security Specialist Skills in 2024
  • How Hackers Are Using Coronavirus To Scam People?
  • Skills Required to Become a Ethical Hacker
  • How to Become a Cyber Security Engineer?
  • What is Pegasus Spyware and How It Works?
  • 5 Best Practices for Secure File Sharing
  • How to Prevent Small Businesses From Cyber Attacks?
  • OWASP Top 10 Vulnerabilities And Preventions
  • Top 10 Cyber Security Threats World is Facing in 2024
  • Social Engineering -Time To Be More Secure Than Before

How to Get Started With Bug Bounty?

Bug Bounty programs are a great way for companies to add a layer of protection to their online assets. A bug bounty program is a crowdsourced penetration testing program that rewards for finding security bugs and ways to exploit them. For researchers or cybersecurity professionals, it is a great way to test their skills on a variety of targets and get paid well in case they find some security vulnerabilities. The number of companies that have a formal crowdsourced program is increasing and so are the people who want to become freelance penetration testers. The aspiring bug bounty hunters are of much different knowledge, experience, and skill levels. 

How to Get Started With Bug Bounty?

Some are completely new to the idea of web development with little prior programming experience, some are experienced web developers with no experience in cybersecurity while some are highly skilled cybersecurity professionals. The steps that should be taken are the same for everyone, one can, however, skip one or more steps based on his/her skills and experience. 

Let’s get started with these steps:

1. Learn Computer Networking:  

A decent knowledge of Computer Networks is very much necessary for getting started with the bug bounty. Though you’re not required to have expertise in the computer networking domain to get started with bug bounty – but you should be proficient at least with the fundamentals of inter-networking, IP addresses, MAC addresses, OSI stack (and TCP/IP stack), etc. You can learn it from some of the quality online resources like GeeksforGeeks Computer Networks .

2. Get Familiarized With Web Technologies: 

This includes getting a basic understanding of web programming and web protocols. Web programming languages are JavaScript , HTML , and CSS . A beginner to intermediate level proficiency with these languages is more than enough in the beginning. The protocols you should learn about are HTTP, FTP, TLS, etc. These can be learned from the corresponding RFCs or from numerous offline or online resources available over the web. 

3. Learning Web Application Security Measures and Hacking Techniques: 

This will include learning about common security mechanisms, security practices, their bypasses, common vulnerabilities in web applications, ways to find these vulnerabilities, and ways to patch and prevent the applications from these vulnerabilities. Useful resources are: 

Recommended Books:

  • Web Application Hacker’s Handbook
  • Mastering Modern Web Application Penetration Testing
  • Web Hacking 101

4. Practicing and Polishing Your Skills:  

Practicing helps in developing a framework for approaching a target. The more you practice on diverse targets of different difficulty levels the easier it will be for you to approach a web application in a way that increases your chances of finding a critical vulnerability (or even finding a vulnerability if the application is well-secured and has been already tested by many hunters). Try making great use of these resources: 

Vulnerable Web Applications: These are intentionally vulnerable virtual machines or web app packages. Vulnerable web applications are available as general variants that contain many types of vulnerabilities and as dedicated variants that focus on a single vulnerability and its subtleties. Some examples are: 

  • OWASP Webgoat
  • Cyclone Transfers
  • Butterfly Security Project
  • BWapp, DVWA(Damn Vulnerable Web Application), and Webgoat are the best for beginners.

5. Testing Real Targets: 

After you are thoroughly done with your basics and have a decent level of skill, you can start doing the actual hunting on real websites. A lot of websites run bug bounty programs for their web assets. Some big names are: 

These companies reward generously but finding a security bug on any of their assets is highly difficult due to tough competition. You must remember that the top bug bounty hunters of the world are testing these websites along with you. However, that doesn’t mean you can’t find something at all. 

6. Staying Current on Latest Vulnerabilities:  

For this, you can follow elite researchers and learn from their work. You can also read disclosed reports on bug bounty platforms like HackerOne. Some recommended researchers to follow are: 

  • Frans Rosén
  • Jason Haddix
  • PortSwigger
  • Jobert Abma

You need to know that if you really want to get started with bug bounty then it doesn’t matter what is your academic background or what is your current working domain – you simply can start learning the required skills and tools and start doing the actual hunting!!

Please Login to comment...

  • Cyber-security
  • WhatsApp To Launch New App Lock Feature
  • Node.js 21 is here: What’s new
  • Zoom: World’s Most Innovative Companies of 2024
  • 10 Best Skillshare Alternatives in 2024
  • 30 OOPs Interview Questions and Answers (2024)

Improve your Coding Skills with Practice

 alt=

What kind of Experience do you want to share?

safari bug bounty

Special Features

Vendor voice.

safari bug bounty

Cyber-crime

comment bubble on white

Miscreants are exploiting enterprise tech zero days more and more, Google warns

Crooks know where the big bucks are.

The discovery and exploitation of zero-day vulnerabilities in enterprise-specific software and appliances appears to be outpacing the leveraging of zero-day bugs overall, judging by Google's latest research.

In a report published today, the web giant's Threat Analysis Group (TAG) and Mandiant division said they tracked 97 total zero-day vulnerabilities found and exploited by miscreants in 2023, which is considerably more than the year prior, which had 62 such holes. That's a 56 percent uplift.

The number of found and exploited enterprise-specific technology zero-day vulnerabilities, however, increased by 64 percent in 2023 compared to 2022 with miscreants exploiting 36 of these bugs. This figure has been rapidly growing over the past five years, we're told, with just 11.8 percent of zero-days in 2019 affecting enterprise software.

"This percentage increased to 37.1 percent in 2023, signaling a continued shift in the types of products targeted for malicious exploitation," according to the report [ PDF ].

safari bug bounty

This year's report combines analysis from both the Mandiant and TAG teams for the first time since Google bought Mandiant in 2022. It also split the zero-day vulnerabilities into two categories: end-user platforms and products – encompassing mobile devices, operating systems, browsers, and other applications – and enterprise-focused software and appliances.

While 61 of the 97 zero-days affected end-user products last year, this number isn't increasing as rapidly as its enterprise counterparts.

Specifically, this included 17 Windows vulnerabilities, 11 in Safari, nine affecting both iOS and Android, and eight in Chrome. Google didn't observe any zero-days across macOS, Firefox or Internet Explorer last year.

The bug hunters credit vendors such as Apple, Google, and Microsoft with making "notable investments that are having a clear impact on the types and number of zero-days actors are able to exploit."

This includes protections such as Apple's Lockdown Mode for iOS and Google's MiraclePtr , which prevents exploitation of use-after-free bugs across all Chrome platforms.

"Vulnerabilities that were commonplace in years past are virtually non-existent today," the report states.

Across these end-user platforms, however, the Googlers did note an increase in zero-days across third-party components and libraries, which gives attackers more bang for their buck and allows them to exploit one bug while affecting multiple products.

This included CVE-2023-5217 , a buffer overflow vulnerability affecting VP8/VP9 encoding in libvpxin, an open source video codec library. This flaw affected Chrome, Firefox, iOS, and Android.

On to another browser zero-day that was exploited in 2023 – CVE-2023-4863 , a heap buffer overflow in libwebp that affected any software that used the WebP image library. This included Chrome, Safari, Android, and Firefox.

"We assess with high confidence that the Chrome vulnerability CVE-2023-4863 and the Apple ImageIO vulnerability CVE-2023-41064 are actually the same bug," TAG and Mandiant claim.

Enterprise tech zero-days

Moving back to the enterprise zero-days, Google's threat hunters attribute the increase to buggy security software and appliances in 2023. Notably, this included Barracuda Email Security Gateways , Cisco Adaptive Security Appliances , Ivanti Endpoint Manager Mobile and Sentry , and Trend Micro Apex One .

Ivanti had three zero-day exploits last year, as did North Grid Corporation, giving these two vendors the dubious honor of being the most-exploited enterprise tech in 2023 in terms of zero-days.

  • Ivanti releases patches for VPN zero-days, discloses two more high-severity vulns
  • Russians invade Microsoft exec mail while China jabs at VMware vCenter Server
  • The spyware business is booming despite government crackdowns
  • International effort to disrupt cybercrime moves into operational phase

This also illustrates a "key challenge" faced by enterprise vendors, according to TAG and Mandiant: "Learning how to respond to sophisticated attacks targeting their products in a timely and effective manner while simultaneously developing an effective patch that addresses the ways threat actors are weaponizing the vulnerability."

Commercial surveillance vendors, government snoops going strong

Speaking of sophisticated attacks and attackers, perhaps unsurprisingly the bulk of last year's exploits can be attributed to commercial surveillance vendors (41.4 percent) and government cyberspies (41.4 percent).

The rest (ten exploits) came from financially motivated criminals, which are already having plenty of success scanning for and then exploiting recently disclosed bugs, so it doesn't make as much sense for them to buy zero-day exploits.

The Google teams were able to attribute motivation to 58 zero days in 2023, and a combined 48 of these traced back to commercial surveillance vendors (think Pegasus developer NSO Group , Predator maker Intellexa , Candiru , and others) and government-linked crews including those with ties to Russia, North Korea, Belarus, China, and other unknown actors.

TAG goes in-depth into a lot of these commercial surveillance vendors in its earlier report [ PDF ], published last month, which is worth a read for its insight into the CSV ecosystem.

A couple of notable stats from the new zero-day report: CSVs were responsible for 75 percent (13) of known zero-day exploits targeting Google products and Android ecosystem devices in 2023, and 55 percent targeting iOS and Safari (11).

CSVs did not have any luck with Windows zero-days in 2023. Every Windows exploit could be attributed to either government-backed or financially motivated miscreants.

However, "we know that Candiru, a CSV, had a chain for Windows because we were able to recover their first stage Chrome exploit, but we were not able to recover the rest of the exploits in the chain," the report says.

Additionally, China's government was behind 12 zero-day exploits last year, up from seven in 2022, which, once again, puts the People's Republic as the most prolific nation-state attacker.

This number includes UNC4841's exploitation of two Barracuda bugs, CVE-2023-2868 and CVE-2023-7102.

Plus, another Beijing-linked group, UNC3886 , exploited three separate zero-days using two novel attack paths as the report outlines:

In one path, UNC3886 took advantage of a path traversal vulnerability in Fortinet's FortiOS (CVE-2022-41328) to overwrite legitimate files in a normally restricted system directory before exploiting an authentication bypass vulnerability in VMware products (CVE-2023-20867) that enabled the execution of privileged commands; we identified this exploitation dating back at least to mid-2022.

In a second attack, the group exploited CVE-2023-34048, a VMware out-of-bounds write bug, then also exploited CVE-2023-20867. TAG and Mandiant say this allowed the criminals access to vulnerable networks as far back as late 2021. ®

Narrower topics

  • Advanced persistent threat
  • Application Delivery Controller
  • Authentication
  • Common Vulnerability Scoring System
  • Cybersecurity
  • Cybersecurity and Infrastructure Security Agency
  • Cybersecurity Information Sharing Act
  • Data Breach
  • Data Protection
  • Digital certificate
  • Google Cloud Platform
  • Google Nest
  • Identity Theft
  • Incident response
  • Kenna Security
  • Palo Alto Networks
  • Privacy Sandbox
  • Quantum key distribution
  • Remote Access Trojan
  • RSA Conference
  • Surveillance
  • Tavis Ormandy
  • Trusted Platform Module
  • Vulnerability

Broader topics

  • Search Engine

Send us news

Other stories you might like

Chinese snoops use f5, connectwise bugs to sell access into top us, uk networks, russia's cozy bear caught phishing german politicos with phony dinner invites, in-app browsers are still a privacy, security, and choice problem, reducing the cloud security overhead.

safari bug bounty

Don't be like these 900+ websites and expose millions of passwords via Firebase

'thousands' of businesses at mercy of miscreants thanks to unpatched ray ai flaw, google gooses safe browsing with real-time protection that doesn't leak to ad giant, vans claims cyber crooks didn't run off with its customers' financial info, beijing-backed cyberspies attacked 70+ orgs across 23 countries, us charges chinese nationals with cyber-spying on pretty much everyone for beijing, fujitsu: miscreants infected our systems with malware, may have stolen customer info, it's tax season, and scammers are a step ahead of filers, microsoft says.

icon

  • Advertise with us

Our Websites

  • The Next Platform
  • Blocks and Files

Your Privacy

  • Cookies Policy
  • Privacy Policy
  • Ts & Cs

Situation Publishing

Copyright. All rights reserved © 1998–2024

no-js

IMAGES

  1. Get Started in Bug Bounty

    safari bug bounty

  2. What can you learn from Bug Bounty Hunting essentials?

    safari bug bounty

  3. BUG BOUNTY : Everything you need to know !

    safari bug bounty

  4. Bug Bounty Training

    safari bug bounty

  5. Bug Bounty Hunting ( Real World Scenarios )

    safari bug bounty

  6. What Is The Bug Bounty Program?

    safari bug bounty

VIDEO

  1. Wild Wonders Await

COMMENTS

  1. Bounty

    The Apple Security Bounty program is designed to recognize your work in helping us protect the security and privacy of our users. Submit your research. If you believe you've discovered a security or privacy vulnerability that affects Apple devices, software, or services, please report it directly to us. We review all eligible research for ...

  2. Report a security or privacy vulnerability

    We evaluate all eligible research for Apple Security Bounty rewards. How Apple handles these reports. For the protection of our customers, Apple doesn't disclose or discuss security issues until our investigation is complete and any necessary updates are generally available.

  3. Apple pays out $100k bounty for Safari webcam hack that imperiled

    Bug Bounty Radar The latest bug bounty programs for March 2023 28 February 2023 Bug Bounty Radar The latest bug bounty programs for March 2023 Indian gov flaws allowed creation of counterfeit driving licenses 28 February 2023 Indian gov flaws allowed creation of counterfeit driving licenses Armed with personal data fragments, a researcher could also access 185 million citizens' PII

  4. Safari Flaws Exposed Webcams, Online Accounts, and More

    Pickren previously discovered a series of Safari bugs that could have enabled webcam takeovers.He disclosed the new findings through Apple's bug bounty program in mid-July, and the company awarded ...

  5. Safari vulnerabilities created means for attackers to covertly access

    Ad banner hijack exploit earns security researcher $75,000 bug bounty. UPDATED A series of recently patched security vulnerabilities impacting Apple's Safari web browser created a means for unauthorized websites to access the camera on iPhones, iPads, and macOS computers.. Security researcher Ryan Pickren earned a $75,000 bug bounty from Apple for uncovering the seven Safari bugs, including ...

  6. Apple pays major bug bounty to fix Safari flaw that hacked ...

    Apple pays major bug bounty to fix Safari flaw that hacked your webcam. One day you're downloading a cute .PNG file, the next, your camera is turning on by itself. A cybersecurity researcher has ...

  7. Apple paid me $100k bounty for Safari UXSS super-bug

    Gareth Corfield. Wed 26 Jan 2022 // 08:32 UTC. A security bod scored a $100,500 bug bounty from Apple after discovering a vulnerability in Safari on macOS that could have been exploited by a malicious website to potentially access victims' logged-in online accounts - and even their webcams. Ryan Pickren, last seen on The Register after ...

  8. Apple Security Bounty. Upgraded

    Apple's Security Bounty program has paid nearly $20 million in rewards to security researchers in just two and a half years. Our new site makes it easier than ever for researchers to submit reports on the web, get real-time updates from Apple engineering, and earn recognition for helping to improve security for the users of over 1.8 billion devices worldwide.

  9. Ethical Hacker Uncovers Multiple Security Flaws in Apple Safari

    Apple has paid ethical hacker Ryan Pickren a bug bounty of $ 75,000. The researcher discovered multiple zero-day security vulnerabilities in Apple Safari. These flaws would allow a malicious attacker to take unauthorized control of an iPhone's or Macbook's webcam from a distance. Hacker Discovers Multiple Zero-Day Vulnerabilities in Safari

  10. A Hacker Was Awarded $75,000 As Bug Bounty After Reporting Safari Bugs

    In fact, an ethical hacker has been awarded a total of $75,000 as a bug bounty after discovering such zero-day vulnerability for the tech giant. Safari browser recently turned out to be a fatal vulnerability. The hacker given credit for his work is Ryan Pickren.

  11. Apple releases Safari 15.6.1 to fix zero-day bug used in attacks

    Apple has released Safari 15.6.1 for macOS Big Sur and Catalina to fix a zero-day vulnerability exploited in the wild to hack Macs. The zero-day patched today (CVE-2022-32893) is an out-of-bounds ...

  12. Apple Finally Launches Bug Bounties

    August 5, 2016. Apple will now pay hackers up to $200,000 to identify vulnerabilities in its products. The tech titan—a long-time holdout in the bug bounty arena—announced its new program ...

  13. Apple Is Finally Launching A Bug Bounty Program

    Apple is finally catching up with other tech giants -- it will launch an invitation-only bug bounty program, with rewards as high as $200,000.

  14. Apple Pays $100.5K Bug Bounty for Mac Webcam Hack

    A researcher who showed Apple how its webcams can be hijacked via a universal cross-site scripting bug (UXSS) Safari bug has been awarded what is reportedly a record $100,500 bug bounty. The bug ...

  15. Getting Started With Bug Bounties: 2024 Guide

    Apple Security Bounty. A private program at launch, Apple made its bug bounty program public in late 2019. The tech giant has paid researchers nearly $20 million in total since 2020, with an average compensation of $40,000 in the "Product" category [ 3 ]. Remuneration: $5,000-$2,000,000 [ 4] Program status: Live. 2.

  16. Webcam Hacking (again)

    I submitted these bugs to Apple in mid July 2021. They patched all issues in early 2022 and rewarded me $100,500 as a bounty. $100,500 Apple Bug Bounty for hacking the webcam via a Safari Universal Cross-Site Scripting (UXSS) bug. CVE-2021-30861, CVE-2021-30975.

  17. What Is a Bug Bounty? [3 Bug Bounty Program Examples]

    A bug bounty is a monetary reward given to ethical hackers for successfully discovering and reporting a vulnerability or bug to the application's developer. Bug bounty programs allow companies to leverage the hacker community to improve their systems' security posture over time continuously. Hackers around the world hunt bugs and, in some ...

  18. Which Companies Have Bug Bounty Programs?

    Some well-known companies that offer bug bounty programs include: 1. Google: Google operates the Google Vulnerability Reward Program, which covers various products and services offered by the company. 2. Facebook: The Facebook Bug Bounty program invites researchers to identify security vulnerabilities in Facebook's platform and associated ...

  19. Apple's bug bounty program now open to all; pays up to $1.5M

    They all pay differently. Finding a way into one user account won't pay 1.5 million. If you found a way to download their entire iCloud and decrypt it that's probably 1.5 million. Think of the difference between installing malware on a device in your physical possession vs having a way to push it onto someone else's device.

  20. How To Start With Bug Bounty?

    2. Participate in CTFs: Capture The Flag (CTF) competitions are a great way to practice and improve your skills in a controlled environment. 3. Collaborate with others: Join bug bounty communities and engage with other researchers to share knowledge and learn from their experiences.

  21. How to Get Started With Bug Bounty?

    Bug Bounty programs are a great way for companies to add a layer of protection to their online assets. A bug bounty program is a crowdsourced penetration testing program that rewards for finding security bugs and ways to exploit them. For researchers or cybersecurity professionals, it is a great way to test their skills on a variety of targets and get paid well in case they find some security ...

  22. Bug Bounty Hunting

    Bug bounty hunting is an exciting and impactful field that requires the right tools and techniques. In this blog post, we explored essential tools like Burp Suite, set lists, and web crawlers. We also discovered the power of fuzzing, brute forcing, and subdomain enumeration. Lastly, we introduced Striker, a versatile tool for detecting ...

  23. Attackers increasingly exploit enterprise tech zero-days

    Wed 27 Mar 2024 // 14:00 UTC. Zero-day exploits targeting enterprise-specific software and appliances are now outpacing zero-day bugs overall, according to Google's threat hunting teams. In a report published today, Google's Threat Analysis Group (TAG) and Mandiant said they tracked 97 total zero-day vulnerabilities found and exploited by ...