Skip to main content

Apple paid a student $100,000 for successfully hacking a Mac

Hackers typically have a bad reputation, but without them, many security issues would remain undetected. This was proven by Ryan Pickren, a cybersecurity Ph.D. student at the Georgia Institute of Technology.

Pickren found a dangerous vulnerability on Apple Mac devices that granted unauthorized camera access. He reported it to Apple, and for his contribution, he was paid a record-setting $100,500 bounty.

College student Ryan Pickren received a hefty bounty form Apple for hacking a Mac webcam.
Image source: Image used with permission by copyright holder

The hacker described the hacking process in a lengthy blog post, going into detail as to how he was able to achieve the end result. The bugs revolve around exploiting issues with iCloud Sharing and the Safari 15 browser. Although the issue may seem situational and unlikely to be replicated, all it takes is one vulnerability for a hacker to gain control of a person’s device.

The vulnerability began with an iCloud sharing app called ShareBear. Through ShareBear, users are able to grant access to each other in order to seamlessly share documents. Once the user accepted an invitation to share a particular file with another person, Mac remembered this permission and never asked for it again. Unfortunately, while this seems like a nice quality-of-life feature at first glance, it can result in exploits.

As the file is stored on the cloud and not locally, it can be swapped at any time after permission is granted. This can result in a simple image or text file being turned into an executable file with malicious code. Pickren used this exploit to change file types and gain full access to the user’s Mac.

ShareBear hacking flowchart.
Image source: Image used with permission by copyright holder

Pickren said on his website: “While this bug does require the victim to click ‘open’ on a popup from my website, it results in more than just multimedia permission hijacking. This time, the bug gives the attacker full access to every website ever visited by the victim. That means in addition to turning on your camera, my bug can also hack your iCloud, PayPal, Facebook, Gmail, etc. accounts, too.”

The file, once accessed via ShareBear, can be remotely launched at any moment without further prompt. As Pickren explains, this certainly opens the door to a potentially very dangerous hack, granting full access to the Mac in question.

Apple has fixed the bug in MacOS Monterey 12.0.1 (launched on October 25, 2021) after Pickren reported it in July. His $100,500 bounty is, according to Pickren, the highest Apple has ever offered through its security program. Apple has also recently fixed another critical bug, this time involving WebKit.

This wasn’t Pickren’s first Apple hacking rodeo. In 2019, he was able to hack into the iPhone camera and microphone, exposing a number of dangerous vulnerabilities in Apple’s code. Apple rewarded him generously for his efforts, giving him $75,000 in return for finding and reporting the bugs.

Editors' Recommendations

Monica J. White
Monica is a UK-based freelance writer and self-proclaimed geek. A firm believer in the "PC building is just like expensive…
Apple announces new MacBook Pro with M2 Pro and M2 Max chips
A person sitting in a vehicle using a MacBook Pro on their lap.

Apple has unveiled new versions of the 14-inch and 16-inch MacBook Pro, ending months of speculation surrounding the devices. New features include the latest M2 Pro and M2 Max chips -- but not much else.

Almost everything else remains the same as what we saw in the M1 Pro and M1 Max versions of the MacBook Pro: the same flat-edged design, the same mini-LED display, and the same port arrangement. That’s not particularly surprising, as the M1 versions of these laptops themselves featured a major design overhaul. Another big change so soon was not really in the cards.

Read more
Here’s what we know about the massive Mac launches Apple has planned for 2023
The Apple MacBook Pro 14 laptop propped up at an angle on a desk.

If you’re a Mac fan, 2022 might have left you a little disappointed. That’s because Apple’s Mac roster was surprisingly light last year, with far fewer Macs released than we expected. The good news is that means we should get plenty more Macs in 2023, starting with the Spring event coming up soon. But what exactly can we hope to see?

In this guide, we’ve rounded up every Mac we expect Apple will launch in 2023. From desktop powerhouses to thin and light laptops, there could be something for everyone over the next 12 months.
Apple silicon Mac Pro

Read more
Apple’s anticipated MacBook Pros may have been delayed yet again
Apple MacBook Pro seen from the side.

Apple's next series of MacBook Pros featuring the M2 Pro and M2 Max proprietary chips might once again be delayed until much later in the year due to persistent shipping issues, according to a report by the Taiwanese publication DigiTimes.

Reports from experts such as Bloomberg's Mark Gurman have long forecasted an "early 2023" launch for the 14 and 16-inch MacBook Pros. The journalist has shifted his predictions over time, first suggesting a first-quarter 2023 announcement for the laptops. Then, in his newsletter last weekend, he indicated that the devices might not be showcased until the second half of the year.

Read more