Skip to main content

Apple paid a student $100,000 for successfully hacking a Mac

Hackers typically have a bad reputation, but without them, many security issues would remain undetected. This was proven by Ryan Pickren, a cybersecurity Ph.D. student at the Georgia Institute of Technology.

Pickren found a dangerous vulnerability on Apple Mac devices that granted unauthorized camera access. He reported it to Apple, and for his contribution, he was paid a record-setting $100,500 bounty.

College student Ryan Pickren received a hefty bounty form Apple for hacking a Mac webcam.
Image source: RyanPickren.com Image used with permission by copyright holder

The hacker described the hacking process in a lengthy blog post, going into detail as to how he was able to achieve the end result. The bugs revolve around exploiting issues with iCloud Sharing and the Safari 15 browser. Although the issue may seem situational and unlikely to be replicated, all it takes is one vulnerability for a hacker to gain control of a person’s device.

Recommended Videos

The vulnerability began with an iCloud sharing app called ShareBear. Through ShareBear, users are able to grant access to each other in order to seamlessly share documents. Once the user accepted an invitation to share a particular file with another person, Mac remembered this permission and never asked for it again. Unfortunately, while this seems like a nice quality-of-life feature at first glance, it can result in exploits.

As the file is stored on the cloud and not locally, it can be swapped at any time after permission is granted. This can result in a simple image or text file being turned into an executable file with malicious code. Pickren used this exploit to change file types and gain full access to the user’s Mac.

ShareBear hacking flowchart.
Image source: RyanPickren.com Image used with permission by copyright holder

Pickren said on his website: “While this bug does require the victim to click ‘open’ on a popup from my website, it results in more than just multimedia permission hijacking. This time, the bug gives the attacker full access to every website ever visited by the victim. That means in addition to turning on your camera, my bug can also hack your iCloud, PayPal, Facebook, Gmail, etc. accounts, too.”

The file, once accessed via ShareBear, can be remotely launched at any moment without further prompt. As Pickren explains, this certainly opens the door to a potentially very dangerous hack, granting full access to the Mac in question.

Apple has fixed the bug in MacOS Monterey 12.0.1 (launched on October 25, 2021) after Pickren reported it in July. His $100,500 bounty is, according to Pickren, the highest Apple has ever offered through its security program. Apple has also recently fixed another critical bug, this time involving WebKit.

This wasn’t Pickren’s first Apple hacking rodeo. In 2019, he was able to hack into the iPhone camera and microphone, exposing a number of dangerous vulnerabilities in Apple’s code. Apple rewarded him generously for his efforts, giving him $75,000 in return for finding and reporting the bugs.

Monica J. White
Monica is a computing writer at Digital Trends, focusing on PC hardware. Since joining the team in 2021, Monica has written…
Is Apple’s upcoming M4 Mac event still happening? I’m skeptical
Russian YouTuber Romancev768 with what is claimed to be a real M4 MacBook Pro unit.

Over the last few weeks, the endless stream of M4 MacBook Pro leaks has been almost inescapable. We’ve seen photos, unboxing videos, even M4 laptops reportedly going up for sale way ahead of time. Ye.t despite all that, there’s been one thing that has stopped me from fully believing that these leaks are legitimate -- despite a well-known reporter claiming that they’re authentic.

That’s because in all the leaks we’ve seen, the box of the M4 MacBook Pro has come with the same black-and-gray wallpaper that Apple used for its M3 line of MacBook Pros. It’s something that has bugged me ever since I first noticed it. But what if the use of an old wallpaper isn't proof that these leaks are fakes, but is actually a clue about what Apple is about to do next?
The wallpaper of it all

Read more
I’m worried Apple will skip its October event – here’s what that means for the M4 MacBook Pro
Apple CEO Tim Cook looks at a display of brand new redesigned MacBook Air laptop during the WWDC22

For months now, we’ve been hearing that Apple is set to announce a boatload of new products -- including the M4 MacBook Pro range, fresh iPads, and more -- at an event this October. Yet a new report suggests that things might not be quite so simple after all.

In his latest Power On newsletter, Bloomberg journalist Mark Gurman says that Apple is set to reveal these new products “around the end of October,” with the devices going on sale on Friday, November 1. So far, so expected.

Read more
Did Apple just hint that the M4 MacBook Pro isn’t coming in 2024?
Apple MacBook Pro 16 downward view showing keyboard and speaker.

Apple held its third-quater earnings call this week, and it looks like things went pretty well overall. Total revenue was $85 billion, up around 5% year-over-year, and the Mac managed to go up 2% year-over-year as well, bringing in just over $7 billion. But a comment from the Q&A section of the call suggests that the company isn't expecting any bumps in Mac revenue for the rest of the year and, as MacRumors suggests, this could be code for "no new MacBook."

After being pressed for clarification on product revenue expectations for the September quarter, Chief Financial Officer Luca Maestri commented:

Read more