Student Gets $100k Bug Bounty for Breaching macOS Processes

Photo of the back of an Apple laptop

A January 26th, 2022, write-up by PhD cybersecurity student Ryan Pickren revealed that he successfully broke into Apple’s software processes. Pickren exploited a Safari browser UXSS vulnerability and even managed to hijack Apple’s Mac Webcam, which marks the second time the student has successfully exposed security flaws in Apple’s products.

The write-up, entitled “Hacking the Apple Webcam (again)” is an extremely detailed look into how Pickren dismantled Apple’s highly-regarded security walls. The write-up deconstructs his attack plan and various methods, how Apple fixed the issue, his earlier work, and more.

How Pickren Breached Apple’s Software Processes

This process began when Pickren decided to “give another go” to exposing vulnerabilities, since over a year went by since his “last Apple camera hacking project.” This time, he cleverly crafted several attack phases that would exploit security flaws associated with Safari 15 and iCloud Sharing.

To launch the hack, a victim needs to click the “open” button when prompted by a popup crafted by Pickren. This gives a potential attacker full access to every website the victim has ever visited. “That means in addition to turning on your camera, my bug can also hack your iCloud, PayPal, Facebook, Gmail, etc. accounts too,” wrote Pickren.

UXSS Security Flaw in Safari

Pickren’s attack plan results in the injection of “evil code” into a target origin by using a Universal-Cross-Site Scripting (UXSS) security flaw.  A UXSS exploit affects browsers (Safari, in this case) and, by achieving an XSS condition, an attacker has insight into every website ever visited by a user. Such exploits have previously affected Google Chrome and, as such, Google Project Zero has published a paper about UXSS exploits, calling this bug “among the most significant threats for users of any browser.”

“Imagine building a website that can jump into https://zoom.com to turn on the camera, hop into https://paypal.com to transfer money, and hijack https://gmail.com to steal emails”, Pickren emphasized.

Implanting Malicious Code Into Webarchive Files

Webarchive files are created by the Safari browser to save websites locally as an alternative to HTML. In the code, Pickren found that these files openly display the web origin. If exploited by an attacker, by modifying the content with something such as an evil webarchive file (evil.webarchive), a UXSS exploit can be achieved.

In newer Safari versions, like 15, webarchive files are deemed malicious applications by Apple’s macOS protection system Gatekeeper. Apple’s macOS operating system in general is also notorious for permission queries on everything. Even still, Pickren found that “this old-school hack can still occur on the latest Safari and macOS builds.”

Leveraging ShareBear With a Custom URL Scheme

It was “tricky” to activate Launch Services and make a user download and access webarchive files, let alone share the files further. Pickren found a way to do this by leveraging an iCloud Sharing Application called ShareBear with a custom URL scheme hack (modified HTML script) that would make the system see this as a trusted process.

This way, once a user clicks “open” on a popup that includes a malicious script, that user is agreeing on much more than just opening the file. “In essence, the victim has given the attacker permission to plant a polymorphic file onto their machine and the permission to remotely launch it at any moment. Yikes,” wrote Pickren. A polymorphic file is a file that can change its form.

Adding a Shortcut to Fool GateKeeper

Since macOS Gatekeeper picked up on Pickren’s attempts to launch a webarchive file from an unidentified developer, he had to find another way around. He succeeded in using a shortcut to trick Safari into launching “evil.url” — the malicious code disguised as a legitimate URL shortcut.

Mission Accomplished

Since the hack is polymorphic, it starts as a PNG, turns into a DMG, and finally a URL file. Consequently, Pickren’s “icloud-sharing://” scheme can exfiltrate a user’s iOS camera roll by injecting code to https://www.icloud.com. Furthermore, this same process can be used to inject JavaScript code to turn on the webcam by hijacking trusted video chat websites such as https://zoom.us or https://facetime.apple.com.

“Mission accomplished,” remarked Pickren.

Apple Fixed the Issue and Paid Pickren a $100k Bug Bounty

Apple has since fixed security holes in macOS and Safari. Pickren’s work had far-reaching consequences. It resulted in a chain of four zero-day bugs (CVE-2021-30861 and 30975 and two without CVEs), two of which were used by Pickren for the camera hack.

Pickren wrote that he reported these bugs in mid-July 2021 and that it took Apple until early 2022 to patch all the issues. For Pickren’s hard work, Apple rewarded him with a bug bounty of $100,500.

About Ryan Pickren

Ryan Pickren is a PhD student in cybersecurity at the Georgia Institute of Technology. Pickren initially discovered similar issues in 2020 and was rewarded $75,000 at the time.

Tricking approved apps to do malicious things is what caught Apple’s systems off-guard. “This project was an interesting exploration of how a design flaw in one application can enable a variety of other, unrelated, bugs to become more dangerous,” wrote Pickren.

Tech researcher & communications specialist
Mirza has an education background in Global Communications, has worked in advertising, marketing, journalism and television over the years while living in several different countries. He is now working to consolidate news and outreach at VPNoverview.com, while in his free time he likes to work on documentary projects, read about sociology and write about world events.