Australia markets close in 1 hour 21 minutes

    +17.60 (+0.24%)
  • ASX 200

    +12.10 (+0.17%)

    +0.0030 (+0.43%)
  • OIL

    -0.36 (-0.32%)
  • GOLD

    +8.90 (+0.49%)

    -271.35 (-0.62%)
  • CMC Crypto 200

    +439.34 (+181.04%)

    +0.0027 (+0.40%)

    +0.0015 (+0.14%)
  • NZX 50

    -23.06 (-0.21%)

    -143.82 (-1.16%)
  • FTSE

    +46.65 (+0.63%)
  • Dow Jones

    +26.76 (+0.08%)
  • DAX

    -63.55 (-0.45%)
  • Hang Seng

    +445.45 (+2.23%)
  • NIKKEI 225

    +77.86 (+0.29%)

Mac webcam hack nets student big payout

·2-min read
A man uses a computer in a lounge area. (Source: Reuters)
The new Apple Mac webcam vulnerability could potentially expose all your web-based accounts to hackers (Source: Reuters)

A cyber-security student has just won himself US$100,500 ($142,714) from Apple by discovering how hacking Mac webcams can leave devices completely exposed to hackers.

Ryan Pickren's earning is supposedly Apple's largest bug bounty payout to date.

The tech giant has not commented on the bug nor confirmed if it was actively exploited.

What's the issue?

The new webcam vulnerability highlights a series of defects with iCloud and Safari, which Apple has now supposedly fixed according to Pickren.

Before it was secured, a malicious website could launch an attack using these defects to their advantage.

In his hack, Pickren successfully gained unauthorised camera access by exploiting several issues with iCloud Sharing and Safari 15.

Though the bug requires the victim to open a pop-up from the hacker's website, it leads to more than just multimedia permission hijacking once the victim clicks 'Open'.

The attacker would have full access to all web-based accounts, from iCloud to PayPal to Facebook and Gmail, along with permissions to use the camera, microphone, and screen sharing.

The regular green light would still come on as normal if the camera were used.

This hack could eventually empower an attacker to gain absolute access to a device's entire file system. according to Pickren. The hacker would be able to do so by exploiting Safari's 'webarchive' files, the system the browser uses to save local copies of websites.

"A startling feature of these files is that they specify the web origin that the content should be rendered in, which is an awesome trick to let Safari rebuild the context of the saved website," Pickren explained.

The fix

Given that a user has to download such a webarchive file, and then also open it, Pickren believes Apple had not considered this a realistic hack scenario when it first implemented Safari's webarchive.

"A decade ago, when this decision was made, [the] browser security model wasn't nearly as mature as it is today," Pickren said.

Following his discovery, Apple has now made camera access significantly more difficult.

Multimedia access is now allowed only when the protocol is "https:" and the domain matches saved settings of the user.

Cleverly malformed URIs won't be able to gain access any longer.

Follow Yahoo Finance on Facebook, LinkedIn, Instagram and Twitter, and subscribe to the free Fully Briefed daily newsletter.

Our goal is to create a safe and engaging place for users to connect over interests and passions. In order to improve our community experience, we are temporarily suspending article commenting