Apple Paid Hacker $75,000 for Uncovering Zero-Day Camera Exploits in Safari - MacRumorsOpen MenuShow RoundupsShow Forums menuVisit ForumsOpen Sidebar
Skip to Content

Apple Paid Hacker $75,000 for Uncovering Zero-Day Camera Exploits in Safari

Apple paid out $75,000 to a hacker for identifying multiple zero-day vulnerabilities in its software, some of which could be used to hijack the camera on a MacBook or an iPhone, according to Forbes.

ipadprocamerabumps
A zero-day vulnerability refers to a security hole in software that is unknown to the software developer and the public, although it may already be known by attackers who are quietly exploiting it.

Security researcher Ryan Pickren reportedly discovered the vulnerabilities in Safari after he decided to "hammer the browser with obscure corner cases" until it started showing weird behavior.

The bug hunter found seven exploits in all. The vulnerabilities involved the way that Safari parsed Uniform Resource Identifiers, managed web origins and initialized secure contexts, and three of them allowed him to get access to the camera by tricking the user to visit a malicious website.

"A bug like this shows why users should never feel totally confident that their camera is secure," Pickren said, "regardless of operating system or manufacturer."

Pickren reported his research through Apple's Bug Bounty Program in December 2019. Apple validated all seven bugs immediately and shipped a fix for the camera kill chain a few weeks later. The camera exploit was patched in Safari 13.0.5, released January 28. The remaining zero-day vulnerabilities, which Apple judged to be less severe, were patched in Safari 13.1, released on March 24.

Apple opened its bug bounty program to all security researchers in December 2019. Prior to that, Apple's bug bounty program was invitation-based and non-iOS devices were not included. Apple also increased the maximum size of the bounty from $200,000 per exploit to $1 million depending on the nature of the security flaw.

When submitting reports, researchers must include a detailed description of the issue, an explanation of the state of the system when the exploit works, and enough information for Apple to reliably reproduce the issue.

This year, Apple plans to provide vetted and trusted security researchers and hackers with "dev" iPhones, or special iPhones that provide deeper access to the underlying software and operating system that will make it easier for vulnerabilities to be discovered.

These iPhones are being provided as part of Apple's forthcoming iOS Security Research Device Program, which aims to encourage additional security researchers to disclose vulnerabilities, ultimately leading to more secure devices for consumers.

Popular Stories

safari notify macos 27

New Safari Can Monitor a Webpage and Notify You of Updates

Monday June 8, 2026 11:04 am PDT by
Apple's new version of Safari browser in macOS 27 and iOS 27 can be tasked to monitor a webpage and notify you of any changes, thanks to a new built-in feature. With "Notify Me," Safari can keep checking a website on your behalf – such as a product you've been watching for when it comes back in stock – and alert you when a change occurs. In other upcoming feature additions, using the ...
safari tab groups apple intelligence

Apple Brings AI Tab Organization and AI-Generated Extensions to Safari

Monday June 8, 2026 1:18 pm PDT by
Apple today unveiled a raft of Safari upgrades powered by Apple Intelligence, including automatic tab organization, AI-generated custom extensions, and new privacy-first browsing tools. The centerpiece feature is automatic tab organization, which uses Apple Intelligence to group a user's open tabs into relevant topics without any manual intervention. If someone is planning a weekend trip,...
iCloud iPhone 17 Pro

iPhone Users Who Pay for iCloud Storage Get Two New Perks on iOS 27

Thursday July 2, 2026 6:10 am PDT by
If you pay for certain iCloud+ storage plans beyond the 5GB that Apple offers for free, you will receive two more perks on iOS 27 at no additional cost. A summary of the two new iCloud+ perks on iOS 27:Increased daily usage limits for some new Apple Intelligence features, including image generation in the revamped Image Playground app. HomeKit Secure Video cameras receive generated video...

Top Rated Comments

82 months ago
Good Apple.
Score: 10 Votes (Like | Disagree)
Justanotherfanboy Avatar
82 months ago

The iPhone needs a camera light hardwired to the camera itself just like the Mac so that exploits like this would at least be noticeable.

So only $75,000 for an exploit that can allow remotely accessing the camera on the Mac or iPhone? Then what in the hell is a $1,000,000 bounty for?
Remote root access, allowing an attacker complete takeover of the system, including deleting the admin account, changing password, etc.
Score: 9 Votes (Like | Disagree)
82 months ago
Considering the median US income is around $60k ... $75k is more than a year's work for most Americans. I definitely would not complain.
Score: 7 Votes (Like | Disagree)
tridley68 Avatar
82 months ago
$75000 sounds a little light he should have held out for more.
Score: 6 Votes (Like | Disagree)
MacBH928 Avatar
82 months ago
cameras and microphones should have physical disconnection
Score: 5 Votes (Like | Disagree)
b0nd18t Avatar
82 months ago
I really wish iPhones came with a physical camera kill switch TBH
Score: 4 Votes (Like | Disagree)