A bug hunter, Ryan Pickren was awarded $100,500 by Apple as a bounty for discovering the Mac webcam hack. Pickren had found that by exploiting a series of issues with iCloud and Safari 15, he could gain access to Mac’s webcam and more importantly, gain access to the victims browsing history. Thus, the paid bounty sum is believed to be the largest amount paid under the company’s bug bounty program.
In addition to its own security researchers, Apple invites independent researchers to register under its bug bounty program to find and report security exploits and receive cash rewards. The amount of each ash prize is determined by the nature of the exploit. And for iCloud-related exploits, the cash prize on Apple’s support page is $100,000 but Pickren received $500 above the set prize amount.
Student awards highest bug bounty by Apple for reporting Mac hack which gave access to users multimedia and accounts
In his detailed article on the Mac webcam hack, Pickren explained that a Safari UXSS bug could have given attackers access to users’ webcam, microphone, and their accounts like iCloud, Facebook, and PayPal. This exploit has been patched by Apple.
My hack successfully gained unauthorized camera access by exploiting a series of issues with iCloud Sharing and Safari 15. While this bug does require the victim to click “open” on a popup from my website, it results in more than just multimedia permission hijacking. This time, the bug gives the attacker full access to every website ever visited by the victim. That means in addition to turning on your camera, my bug can also hack your iCloud, PayPal, Facebook, Gmail, etc. accounts too.
This research resulted in 4 0day bugs (CVE-2021-30861, CVE-2021-30975, and two without CVEs), 2 of which were used in the camera hack. I reported this chain to Apple and was awarded $100,500 as a bounty.
Pickren has become one of the few security researchers who are happy with Apple’s bug bounty program. Previously, several researchers have complained about the program and accused the tech giant of being callous in not only acknowledging their discovered security flaws but also indifferent towards fixing the vulnerabilities.