Skip to main content

Apple paid a student $100,000 for successfully hacking a Mac

Hackers typically have a bad reputation, but without them, many security issues would remain undetected. This was proven by Ryan Pickren, a cybersecurity Ph.D. student at the Georgia Institute of Technology.

Pickren found a dangerous vulnerability on Apple Mac devices that granted unauthorized camera access. He reported it to Apple, and for his contribution, he was paid a record-setting $100,500 bounty.

Related Videos
College student Ryan Pickren received a hefty bounty form Apple for hacking a Mac webcam.
Image source: RyanPickren.com

The hacker described the hacking process in a lengthy blog post, going into detail as to how he was able to achieve the end result. The bugs revolve around exploiting issues with iCloud Sharing and the Safari 15 browser. Although the issue may seem situational and unlikely to be replicated, all it takes is one vulnerability for a hacker to gain control of a person’s device.

The vulnerability began with an iCloud sharing app called ShareBear. Through ShareBear, users are able to grant access to each other in order to seamlessly share documents. Once the user accepted an invitation to share a particular file with another person, Mac remembered this permission and never asked for it again. Unfortunately, while this seems like a nice quality-of-life feature at first glance, it can result in exploits.

As the file is stored on the cloud and not locally, it can be swapped at any time after permission is granted. This can result in a simple image or text file being turned into an executable file with malicious code. Pickren used this exploit to change file types and gain full access to the user’s Mac.

ShareBear hacking flowchart.
Image source: RyanPickren.com

Pickren said on his website: “While this bug does require the victim to click ‘open’ on a popup from my website, it results in more than just multimedia permission hijacking. This time, the bug gives the attacker full access to every website ever visited by the victim. That means in addition to turning on your camera, my bug can also hack your iCloud, PayPal, Facebook, Gmail, etc. accounts, too.”

The file, once accessed via ShareBear, can be remotely launched at any moment without further prompt. As Pickren explains, this certainly opens the door to a potentially very dangerous hack, granting full access to the Mac in question.

Apple has fixed the bug in MacOS Monterey 12.0.1 (launched on October 25, 2021) after Pickren reported it in July. His $100,500 bounty is, according to Pickren, the highest Apple has ever offered through its security program. Apple has also recently fixed another critical bug, this time involving WebKit.

This wasn’t Pickren’s first Apple hacking rodeo. In 2019, he was able to hack into the iPhone camera and microphone, exposing a number of dangerous vulnerabilities in Apple’s code. Apple rewarded him generously for his efforts, giving him $75,000 in return for finding and reporting the bugs.

Editors' Recommendations

The Windows 11 taskbar is getting an important new update
windows 11 taskbar third party app pinning

Microsoft is working on new experiences for Windows that will allow developers to enable pinning for third-party applications, as well as enable pinning to the Taskbar.

Microsoft recently announced the details of these upcoming functions in a blog post. This is the brand's attempt to universalize its pinning process across all apps used on Windows. In practice, it will be similar to how pinning works on the Edge browser, with the Windows 11 users being notified by the Action Center about a request for pinning to the Taskbar by the app in question.

Read more
Firefox just got a great new way to protect your privacy
Canva in Firefox on a MacBook.

If you’re fed up with signing up for new accounts online and then being perpetually spammed in the days and weeks after, Mozilla has an idea that could help. The company has just announced its Firefox Relay feature is being directly integrated into its Firefox web browser, and it could help guarantee your privacy without any extra hassle.

Firefox Relay works by letting you create email “masks” when you sign up for new accounts. Instead of entering your real credentials into the sign-up field, Firefox Relay provides you with a throwaway address and phone number to use. Any messages from the website -- such as purchase receipts -- are then forwarded to your real email address, with all the sender’s tracking information stripped out to protect your privacy.

Read more
The most common Chromebook problems and how to fix them
A person working on a Toshiba Chromebook.

Chromebooks are great alternatives to MacBooks and Windows 10 laptops, but they aren’t perfect. Any laptop computer is bound to have issues, and some of the most common problems faced by Chromebook users can feel difficult or even impossible to solve on their own. 

From issues with updates to internet connectivity, troubleshooting common Chromebook problems doesn’t have to ruin your day. Read on to discover easy fixes for the most frequent issues Chromebook users face. 
The Diagnostics app

Read more