Apple Pays Hacker Record Amount

He used a web browser and a document shared through an iCloud app to gain control of a computer.

Although hackers have been described in numerous ways, they’re not always terrorists, thieves, criminals or heartless bastards, as one colleague refers to them.

For example, there’s Ryan Pickren. He’s a cybersecurity Ph.D. student at Georgia Tech who was recently paid over $100,000 by Apple after discovering and reporting a vulnerability that allows unauthorized users to gain access to cameras and web browsers on Mac PCs.

According to Pickren, and as reported by Digital Trends, the amount is the highest reward Apple has ever doled out to a hacker. 

Summing up what he describes at length on his blog, Pickren was able to use a document shared via an iCloud app called ShareBear, and the Safari 15 browser to gain control of an individual’s personal computer.

Similar to something like Dropbox, ShareBear users can grant access to others to provide a shared work environment for storing and editing documents or files. However, Pickren discovered that once the user accepted an invitation to share a particular file, the Mac remembered this permission — and never asked for it again.

So as long as the file keeps the same name and file type, no new permission is sought, meaning anyone sharing the file could manipulate it to include provisions for running malicious code on the device accessing that file. 

While this would require a potential victim to click on a pop-up from the hackers’s website, doing so could provide access to an individual’s web camera and browsing history, and any passwords associated with online banking, email, PayPal, social media or several other online or cloud-based data points.

Additionally, once initial access is provided, the hack can be replicated without any further prompts — so until the file is deleted or permissions changed, a hacker could continue to have access to all this data without the victim even knowing it.

Apple reportedly fixed the bug in October after Pickren reported it last July.

As an aside, this wasn’t Pickren’s first white hat experience. He previously earned $75,000 for hacking an iPhone camera and microphone, exposing a number of dangerous vulnerabilities in Apple’s code.

More