Apple pays major bug bounty to fix Safari flaw that hacked your webcam

One day you’re downloading a cute .PNG file, the next, your camera is turning on by itself

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

A cybersecurity researcher has uncovered a dangerous flaw inApple’s macOS, which enabled attackers to access the victims’ logged-in online accounts and even get into theirwebcams.

The flaw, which Ryan Pickren reported to the Cupertino giants last summer, was patched earlier this month, while Pickren got to go home with a $100,000 bounty.

The bug, a universal cross-site scripting (UXSS) flaw, resided in the OS’browser,Safari.

Full access

Explaining the end result toThe Register, Picker said it grants the attacker “full access to every website you’ve visited in Safari, meaning that if you’re visiting my evil website on one tab, and then your other tab, you have Twitter open, I can jump into that tab and do everything you can from that screen. So it does allow me to fully perform an account takeover on every website you visited in Safari.”

Here’s how it works (as short of an explanation as it can be): Safari has a number of custom URI schemes, such as mailto:, s3:, and so on. One of them is calledicloud-sharing:, and triggering it opens up ShareBear, an internal macOS app designed for document sharing via iCloud. A website, for example, can trigger it, and have Safari load content hosted elsewhere.

Running malicious webarchives

This wouldn’t be a problem, were it not for a simple fact that the downloaded files could later be altered by the author. So, a victim could download an innocent .PNG file, only to have it transform into amaliciouswebarchive file.

“In essence, the victim has given the attacker permission to plant a polymorphic file onto their machine and the permission to remotely launch it at any moment. Yikes. Agreed to view my PNG file yesterday? Well today it’s an executable binary that will be automatically launched whenever I want,” Picker explained in a furtherblog post.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Apple patches Safari bug that leaked user data>Safari 15 may have a serious security flaw, and there’s no patch in sight>The rise of data privacy concerns

To open the webarchive file, Pickren further explains, he needed to bypass the Gatekeeper restriction, which turned out to be relatively simple. He did it via a custom webpage, which can launch a JavaScript in an arbitrary origin (think facebook.com). That allowed him, among other things, to turn on the camera.

To fix the problem, Apple did two things: First - it made ShareBear just reveal downloaded files, rather than launch them, in macOS Monterey 12.0.1. Second - it patched Safari’s engine WebKit to stop downloaded webarchives from being opened.

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Windows PCs targeted by new malware hitting a vulnerable driver

Dangerous Android banking malware looks to trick victims with fake money transfers

Latest Google Pixel update includes surprise launch of Android 15’s best battery feature