Jan 31 — Via a shared iCloud document, one researcher discovered the ability to “hack every website you’ve ever visited” on your iPhone.
The researcher showed Apple how its webcams can be hijacked via a universal cross-site scripting bug. In return for the valuable insights, Apple has awarded the individual a record $100.5K bug bounty. In theory, the bug could be used by malicious persons as part of an attack that could trace every website ever visited by the victim.
This isn’t the first time that bug-finder Ryan Pickren discovered bugs that could allow hackers to access private dat avia Apple’s cameras. In 2020, he uncovered vulnerabilities in the Safari browser platform that could enable adversaries to snoop on iphones, ipads, and Macs via microphones and cameras. All the target had to do was to accidentally click on a malicious link.
The bug was discovered within ShareBear, a behind-the-scenes iCloud file-sharing app. Pickren observed that anyone with access to a certain file can modify the file’s contents and ultimately open a webarchive file.
For more on this emerging story, click here.