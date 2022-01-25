A student has hacked the cameras of the Macs showing a security flaw in the system.

Apple pays a lot of attention to security. Therefore, it puts certain rewards available to experts who find vulnerabilities in their devices.

And so it was the case of a cybersecurity student who managed to earn just over $100,000 for informing the company with the bitten apple about a major and dangerous bug in the macOS system webcam.

Ryan Pickren, who has already reported other errors to Apple, has a site where he has recounted several details about his new discovery that has saved Mac users from a very dangerous attack.

Risk of information theft on Mac

According to the student, the exploit on the webcam of a Mac was occurring due to various issues with iCloud and files web archive from Safari.

“An amazing feature of these files is that they specify the web origin to which the content should be rendered,” Pickren writes. “This is an awesome trick to allow Safari to reconstruct the saved website context, but as the authors of Metasploit pointed out in 2013, if an attacker can somehow modify this file, they could effectively achieve UXSS [scripting universal entre sitios] by design”.

Modification of this Safari file could become the entrance for an intruder. However, this bug could only work if the user could download it and also open it.

“Before Safari 13, warnings were not even displayed to the user before a website downloaded arbitrary files,” he continued. “So planting the web archive file was easy.”

A realistic scenario, but uncertain in the probability of it happening, which is why Apple implemented this file in Safari without foreseeing the risks.

“This decision was made nearly a decade ago, when the browser security model was not as mature as it is today.” says Ryan Pickren to argue Apple’s decision.

Apple and device security

Pickren says the company has already fixed this issue. apparently before anyone else could use it for cyberattack purposes.

The failure of the webcam added to the vulnerabilities it caused in Safari and iCloud let an intruder gain access to accounts from the web, from passwords to PayPal data, and obviously the user’s iCloud account.

At the moment, Apple has not said anything about the error or reported affected. Therefore, Pickren would have reason to be sure that until now it was an undiscovered bug and has since been removed.

The student has been awarded $100,500 from Apple’s bug bounty program, which is awarded up to 1 million dollars according to the category in which the fault found is found.

In this aspect, Apple is strongly criticized for the process it takes to corroborate, pay and solve reported errors, since it is said that it ends up paying less than what it has stipulated, in addition to it takes time to fix errors that you should eliminate immediately.

So it was with the recent case of an iOS bug that bricks the iPhone and that was reported to the company from August 2021.

But not everything is bad, because when the failure is very dangerous, Apple acts immediately offering solutions that help the user, and this was the case recently when he contacted all those affected by the Pegasus malware.

Apparently Apple has had a little streak in which some errors that have compromised the security of your devices. This error is added to the recent Safari bug that leaks information about the browsing history and data about the user’s Google account.

