A Hacker Was Rewarded $75000 By Apple's Bug Bounty Program For Discovering Multiple Zero-Day Loopholes In Safari

  • Apple paid out $75000 to a security researcher for discovering multiple zero-day vulnerabilities in its software which could lead to the hijacking of the camera app on any Apple device.
  • What type of vulnerabilities were discovered by the hacker and the immediate steps taken by Apple to fix these security holes in its software?
  • Apple’s Bug Bounty Program and its upcoming iOS Security Research Device Program encourages the hackers to unleash security holes in its software to provide more secure Apple devices to its consumers.

A report from Forbes says that Apple rewarded a hacker named Ryan Pickren with $75000 after he unveiled seven zero-day vulnerabilities in its browser Safari. These loopholes helped him to build a kill chain and he was even able to hijack the camera app on Apple’s devices such as MacBook or an iPhone.

A security hole in software is what we can say a zero-day vulnerability. These security holes are unknown to the developers’ team and even the users while the hackers who are quietly exploring these vulnerabilities may already have knowledge about them.

According to Ryan Pickren, he detected these security holes after he started to ‘hammer’ Apple’s browser Safari which started exhibiting weird behavior particularly in context to Camera app’s security. The security researcher discovered seven security holes in total. These security holes could trick a user into visiting a malicious website. He was able to build a kill chain which enabled the hacker to get access to the Camera app on any MacBook or an iPhone.

During December 2019, the bug hunter provided his research to Apple’s Bug Bounty Program. The company immediately approved these security holes. Within a few weeks, Apple patched a fix for the camera kill chain in its browser Safari 13.0.5. The update was made available on January 28 and the other less severe vulnerabilities were fixed by the company in Safari 13.1 which was released on March 24.

Previously, the company’s bug bounty program used to be invitation-based and excluded non-iOS devices. In December 2019, this program was opened up for all hackers and the company also increased the reward amount from $200,000 to up to $1 million depending upon the severity of the security hole.

Researchers need to provide a detailed explanation of the flaw and in which conditions the flaw works to the company while providing their research. Apple needs this information to produce a fix for the security hole.

The company is planning to provide ‘dev’ iPhones to its trusted security researchers. These special iPhones will enable hackers to deeply understand the operating system and its software. This will make it easier for them to unveil security holes.

The company will soon launch an iOS Research Device Program and these special iPhones are being given to these hackers as a part of this upcoming program. The program focuses on encouraging added security research personnel to discover security flaws. This will ultimately lead the company to produce more secure devices for its users.



Read next: Apple tests a game-changing feature in iOS 14 that will help users improve their device security

No comments:

Post a Comment