iPhone 11 Pro Press Image
  • A talented security researcher has received $75,000 from Apple for reporting seven zero-days.
  • Three of these flaws could be used in an exploit chain to access the iPhone’s microphone and camera.
  • Apple fixed the critical problem in just a couple of weeks, so updating the iOS and the Safari browser is crucial.

The former Amazon Web Services (AWS) security engineer, Ryan Pickren, has found a total of seven zero-day vulnerabilities in Apple’s Safari web browser (CVE-2020-3852, CVE-2020-3864, CVE-2020-3865, CVE-2020-3885, CVE-2020-3887, CVE-2020-9784, and CVE-2020-9787), three of which could be used to hack into the camera of the iPhone. The exploit would require the victim to visit a specially crafted malicious website that would get the ball of the exploit chain rolling, abusing the way Safari parses URIs (Uniform Resource Identifiers), web origins, and secure context initialization.

The website containing malicious JavaScript would access the camera and microphone of the device, as long as the user had trusted a site (even a legitimate one) with the same request previously. That could be the web client of Zoom or “Skype.com” that the researcher uses as an example.

So, there are some prerequisites for this attack to work, but the exploit chain is nothing far-fetched, really. Pickren reported all seven flaws to Apple in December 2019, and the fix for the three vulnerabilities that made the camera and microphone access possible came with the Safari 13.0.5 update on January 29, 2020. The other four flaws that were admittedly less severe were plugged on March 24, 2020, with the release of version 13.1. For this report, the Pickren received a beefy bounty of $75,000, which left the security expert absolutely satisfied.

This is not the first time Pickren cashes out his amazing skills, as he has also worked with United Airlines in their Bug Bounty Program in 2016, earning free travel miles worth about $300,000. His latest work positively affects millions of people who are using their iPhones without worrying about the chances of having their cams and microphones accessed by malicious actors.

Since the exploit chain occurs without asking for the user’s permission, victims would remain in the dark if this ever happened to them. Yet, the attacker would still get the media stream from the targeted microphone and camera. Security researcher Sean Wright commented on Forbes about this exploit, saying: “Few have been paying attention to their webcams as well as microphones on their mobiles, although people are a lot more likely to have their mobile on them for most of the time even when discussing sensitive matters. What Pickren discovered is somewhat complicated but certainly a very viable form of attack.”