Ryan Pickren used an imaginative approach that allowed him to run arbitrary code on a target Mac, and received what he believes to be the largest bug bounty Apple has ever paid …
Pickren is a PhD student in cyber security at the Georgia Institute of Technology. Back in 2019, he discovered a series of vulnerabilities that he exploited to enable him to switch on an iPhone camera and microphones without the user having to grant privacy permissions.
He said Apple’s camera security was “pretty intense,” but he succeeded in chaining multiple exploits to defeat it. He reported it to the iPhone maker, which fixed the vulnerabilities and paid him a bug bounty of $75,000.
New exploit hijacked Mac webcam
Not content with this, Pickren last year set out to see whether he could take control of a Mac webcam, and succeeded in doing so. The path he found let him do much more than this, however!
My hack successfully gained unauthorized camera access by exploiting a series of issues with iCloud Sharing and Safari 15. While this bug does require the victim to click “open” on a popup from my website, it results in more than just multimedia permission hijacking. This time, the bug gives the attacker full access to every website ever visited by the victim. That means in addition to turning on your camera, my bug can also hack your iCloud, PayPal, Facebook, Gmail, etc. accounts too.
The details are somewhat involved, but one of the keys to doing it was a vulnerability in an iCloud sharing app called ShareBear.
If you accept an invitation to share a document with someone, the Mac remembers that you’ve granted permission, and doesn’t ask you if you re-open the same file later. However, as that file is stored remotely, the owner can change it after you have accessed it. Crucially, the file could be changed to a completely different file type – including an executable – and would still be silently opened.
This gave Pickren the ability to turn an innocent file like a Pages document or image into a piece of malware, which your Mac would happily run.
There was much more to it than this, as you can read in his detailed run-through, but the top-level approach was:
- Persuade a user to open an innocent remotely shared document
- Subsequently change that document into a disk image containing malware
- Fool Safari into opening the image and running the malware
- Do this in a way that doesn’t trigger Gatekeeper
This allowed him to do a huge number of things, including activating the Mac’s webcam and microphones. Apple does hardwire the tell-tale LED to the camera, so it’s not possible to switch on the camera without also lighting the green LED, but this might easily go unnoticed if the Mac is just sitting in a corner of the room at the time.
Apple pays bug bounty of $100K
Pickren filed reports with Apple of all the vulnerabilities exploited, allowing the company to fix them.
This project was an interesting exploration of how a design flaw in one application can enable a variety of other, unrelated, bugs to become more dangerous. It was also great example of how even with macOS Gatekeeper enabled, an attacker can still achieve a lot of mischief by tricking approved apps into doing malicious things.
I submitted these bugs to Apple in mid July 2021. They patched all issues in early 2022 and rewarded me $100,500 as a bounty.
The first fix was to have ShareBear just reveal files instead of launch them (fixed in macOS Monterey 12.0.1 without being assigned a CVE).
Pickren believes this to be the highest sum ever paid by the company through its security program.
FTC: We use income earning auto affiliate links. More.