back to article Infosec chap: I found a way to hijack your web accounts, turn on your webcam from Safari – and Apple gave me $100k

A security bod scored a $100,500 bug bounty from Apple after discovering a vulnerability in Safari on macOS that could have been exploited by a malicious website to potentially access victims' logged-in online accounts – and even their webcams. Ryan Pickren, last seen on The Register after scooping $75k from Cupertino's …

  1. Red Sceptic

    Not holding my breath

    “ If someone at Apple would like to comment, you know where to find us.”

  2. Pete 2 Silver badge

    Value for money

    > A security bod scored a $100,500 bug bounty from Apple

    And that's still cheaper than testing stuff before it escapes it is released.

    1. veti Silver badge

      Re: Value for money

      But the bug has been patched. The development, testing and rollout of the patch will have cost way more than the bounty.

      There is no such thing as perfect testing, and vulnerabilities will always get through.

      1. AMBxx Silver badge
        Boffin

        Re: Value for money

        From the article, this sounds more like really bad design rather than a bug. Testing wouldn't have really helped as it was doing what it was designed to do. Sounds like they need to change their approach to development.

        1. 7teven 4ect

          Re: Value for money

          To phrase such in a way that promotes the suggestion that a line exists between design and test, or between any two so-called software development phases, is to err, and finding err is good testing.

        2. Anonymous Coward
          Anonymous Coward

          Re: Value for money

          "From the article, this sounds more like really bad design rather than a bug."

          That's what I getting to. It sounds like this was "OK" to do because, well... it's supposed to have that option. If I had my tin-foil hat with me, I'm sure I could get to the bottom of this trojan like feature.

      2. You aint sin me, roit

        Do ShareBears shit in the woods?

        The implication is that nobody thought "What could possibly go wrong if I automatically sync a file without any checks?".

        And that is a naive approach to programming, particularly when messing with code that has such security implications.

        1. DS999 Silver badge

          Re: Do ShareBears shit in the woods?

          particularly when messing with code that has such security implications

          All code has security implications. The biggest security bugs are usually found in code that would on first glance appear least likely to have security implications. i.e. the bug NSO Group was found to be exploiting last fall which leveraged many individual bugs in a chain but one was found in ancient open source software used to embed fax images in a PDF. Who is going to look at that and think "uh oh I better audit this code or someone will develop a terrifying iPhone exploit!"

          If you only look at the code with "such security implications" you will miss the forest for the trees. Not that anyone has successfully managed to secure even the stuff that really needs to be secure - just look at the bugs found in openssl code that had been there for years and years without anyone noticing. You gotta think that was subject to a ton of scrutiny, given how important that is to pretty much every company and every government in the world for something or other, and it was sitting out there in the source where any one of 7+ billion people could have chosen to look at it if they wished.

  3. Natalie Gritpants Jr

    Apple: It just works

    Including the vulnerabilities.

    1. Wyrdness

      Re: Apple: It just works

      Not unique to Apple. There's also a story on El Reg today about a Linux bug that can grant root access.

      https://www.theregister.com/2022/01/26/pwnkit_vulnerability_linuix/

      1. AMBxx Silver badge
        Windows

        Re: Apple: It just works

        Yay to Windows!!

  4. Androgynous Cupboard Silver badge

    Very clever

    That's nice work. Hacking is a bit like chess - you've got a starting position, and then you exhaustively search all your moves from that point. And there are some truly random moves in here, I definitely wouldn't have thought of zeroing out a file to keep its metadata and replacing with a web-archive (clearly neither did Apple).

    Lots of grumblers above - I must be writing this comment in the presence of people that write complex systems and still never get anything wrong. Had I known I would have worn a nicer shirt.

    1. breakfast
      Go

      Re: Very clever

      If people releasing large scale software with lots of developers involved think their team and process are so good that the product has no vulnerabilities, that just means the people finding them are keeping it quiet. This is a pretty great example of a bug bounty doing exactly what it is supposed to.

    2. Charlie Clark Silver badge

      Re: Very clever

      You're right. But then again, this is also yet another instance of stricter security being bypassed for convenience for certain privileged services, in this case Apple's cloud storage which is quite clearly bypassing ACL security which should not allow the remote user to change the executable status of any files on my system. This used to be called download poisoning and is one of the reasons for sandboxing all file transfers.

    3. Anonymous Coward
      Anonymous Coward

      Re: Very clever

      "Hacking is a bit like chess - you've got a starting position, and then you exhaustively search all your moves from that point."

      ... and the really good players intuitively know which branches of moves are worth pursuing.

      I like your analogy!

  5. Marco van Beek

    Nice to see Apple pays out

    Microsoft doesn’t, even when you find a major hole in Outlook autodiscover that leaks every single corporate credential in plain text, and even have them confirm it in writing that you are right.

    1. sev.monster Silver badge
      Windows

      Re: Nice to see Apple pays out

      Someone sounds bitter. Personal experience with Redmond?

      As someone that has used a Microsoft product in the last week, which is already too short of a time, so am I.

    2. Blazde Silver badge

      Re: Nice to see Apple pays out

      Apple don't have a perfect track record of payouts either. In all these programmes most researchers ultimately end up at the mercy of the big company's charity and it'll remain that way until the industry sets up some kind of genuinely independent dispute resolution process. Which they have little incentive to do because headlines involving $100k feel good stories make bigger waves than bitter he-said she-said tales of individual and corporate grubbiness.

  6. elsergiovolador Silver badge

    Service

    Now services across the globe that bought the vulnerability have to look for a new one to track their targets...

    Interesting business model.

  7. Anonymous Coward
    Anonymous Coward

    Is this the guy?

    Is this the guy who keeps sending me email because he took over my webcam and watched me watching various types of entertaining videos? If so please get him to send me the right bitcoin id as the one he sent doesn’t work.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like