The researcher gained unauthorized camera access via Safari and iCloud Sharing.
Research by Ryan Pickren resulted in four zero-day bugs, two of which were used in the camera hack. Apple rewarded Pickren with $100,500 via the company's bug bounty program.
The researcher claims that in addition to turning on the user's camera, the bug also allows the attacker to access every website ever visited by the victim.
"That means in addition to turning on your camera, my bug can also hack your iCloud, PayPal, Facebook, Gmail, etc. accounts too," Pickren writes.
The researcher claims he submitted his findings to Apple in mid-July 2021. The iPhone maker patched all issues in early 2022 and awarded the researcher $100,500 as a bounty.
A single permission
The bugs were found in ShareBear, iCloud's file-sharing mechanism. The app prompts users only when they try to open a shared document for the first time.
Pickren found that since users are no longer prompted once they've opened the file for the first time, anyone who has access to the contents of the file can alter it.
"ShareBear will then download and update the file on the victim's machine without any user interaction or notification. In essence, the victim has given the attacker permission to plant a polymorphic file onto their machine and the permission to remotely launch it at any moment. Yikes," claims Pickren.
The key trick is to trick the victim into opening the file for the first time, providing the attacker with the means to alter the shared file without the victim knowing about it.
The researcher explained that attackers could use something as simple as a PNG format image file and later change its entire content after the user has agreed to open it.
In essence, the research showed that a design flaw in one application could enable a variety of other bugs to become very dangerous to the user.
"It was also great example of how even with macOS Gatekeeper enabled, an attacker can still achieve a lot of mischief by tricking approved apps into doing malicious things," Pickren concluded in the report.
Pile of bugs
Last September, security researchers for the Universities of Birmingham and Surrey released a paper detailing how hackers can bypass the Apple Pay lock screen on any iPhone with a Visa card set up in Express transit mode.
According to the paper, attackers can bypass the contactless limit, allowing unlimited EMV contactless transactions from a locked iPhone. To prove their point, researchers successfully carried out an attack, 'stealing' a thousand pounds (around $1,300) from their personal accounts.
Earlier last year, internet security watchdog group Citizen Lab recently announced a critical Apple software vulnerability, dubbed FORCEDENTRY. Citizen Lab claims that the zero-day exploit against iMessage, which it dubbed FORCEDENTRY, was effective against Apple's mobile devices, laptops, and watches.
A separate group of security researchers has also reported four critical zero-day security vulnerabilities on Apple's iOS 14. The vulnerabilities affect a wide range of iOS data, allowing perpetrators to access apps, browsing history, and personal health data.
More from CyberNews:
Subscribe to our newsletter