Apple Quickly Fixes Bug That ‘Hijacked’ Device Cameras

April 9, 2020

A security researcher found vulnerabilities that could allow a hacker to spy on users through their Apple devices’ cameras and microphones. The security researcher found three bugs on Apple’s web browser, Safari, that could be used by hackers to take over a person’s webcam and microphone on iOS and macOS devices. All a victim would need to do was click on a malicious link, which would appear as an app they already had. A hacker could then be able to spy on them remotely.

Apple quickly responded when alerted to the security glitch and patched vulnerabilities through Safari security updates in January and March.

Ryan Pickren, the security researcher who exposed the vulnerabilities to Apple, told Wired that Safari encourages users to save their preferences for site permissions, like whether to trust Skype with microphone and camera access. “So what an attacker could do with this kill chain is make a malicious website that, from Safari’s perspective, could then turn into ‘Skype,’ ” he explains. “And then the malicious site will have all the permissions that you previously granted to Skype, which means an attacker could just start taking pictures of you or turn on your microphone or even screen share.”

Hackers could spy on users from iPhones, iPads, and Macs.

Pickren submitted the vulnerabilities to Apple’s bug bounty program in mid-December. The next day the company responded, validating his findings. Pickren received $75,000 from Apple for the tip. Apple expanded its bug bounty program in December to help uncover vulnerabilities across more of its products and services.

Apple users are urged to make updates to their devices to account for this latest security patch.

As videoconferencing tools grow in the era of a global pandemic, more security experts are raising potential flaws to systems that users should beware of. For example, the rising popularity of Zoom has prompted a rise in “zoombombing” reports, in which users’ video calls are hacked by others during a call. Zoom quickly responded with new security settings that require a password for personal meeting IDs. Security researchers also offer additional tips for keeping your video calls more secure.