Ryan Pickren, a cyber security student was awarded $100,500 as a bounty, after he showed Apple how a vulnerability allows him to gain unauthorised access to Mac webcams which can potentially leave devices fully open to hackers. Pickren said in a blog post that this could be achieved by exploiting a series of issues with iCloud Sharing and Safari 15. “The bug gives the attacker full access to every website ever visited by the victim. That means in addition to turning on your camera, my bug can also hack your iCloud, PayPal, Facebook, Gmail, etc. accounts too.”

Meanwhile, he notified that Apple has now fixed this vulnerability. According to Pickren, the hack would ultimately mean that an attacker could gain full access to a device’s entire filesystem. This would be possible by exploiting Safari’s “webarchive” files. Webarchive is a web-created file format used by Safari web browser. It contain HTML, images, sound and video from web pages previously visited. “A startling feature of these files is that they specify the web origin that the content should be rendered in,” said Pickren.

“Until recently, no warnings were even displayed to the user before a website downloaded arbitrary files. So planting the webarchive file was easy,” he continued. However, now with Safari 13+, users are prompted before each download.

It should be noted that Apple has not confirmed on any vulnerability. For the uninitiated, Apple’s bug bounty program offers $100,000 for attacks that gain “unauthorized access to sensitive data.” Apple defines sensitive data as access to contacts, mail, messages, notes, photos or location data.

Earlier, in May 2021, Apple AirTag were exploited by hackers to modify the firmware of the device. Apple had released the AirTag to help people keep track of their misplaced items. The Bluetooth-enabled tracker by Apple has reportedly been hacked by a German cybersecurity researcher as per a Tweet which is a first for the device. The researcher used reverse-engineering on the AirTag’s microcontroller to hack it.