A zero-day vulnerability refers to a security hole in software that is unknown to the software developer and the public, although it may already be known by attackers who are quietly exploiting it.
Security researcher Ryan Pickren reportedly discovered the vulnerabilities in Safari after he decided to “hammer the browser with obscure corner cases” until it started showing weird behavior.
The bug hunter found seven exploits in all. The vulnerabilities involved the way that Safari parsed Uniform Resource Identifiers, managed web origins and initialized secure contexts, and three of them allowed him to get access to the camera by tricking the user to visit a malicious website.
“A bug like this shows why users should never feel totally confident that their camera is secure,” Pickren said, “regardless of operating system or manufacturer.”
Pickren reported his research through Apple’s Bug Bounty Program in December 2019. Apple validated all seven bugs immediately and shipped a fix for the camera kill chain a few weeks later. The camera exploit was patched with in Safari 13.0.5, released January 28. The remaining zero-day vulnerabilities, which Apple judged to be less severe, were patched in Safari 13.1, released on March 24.
Apple opened its bug bounty program to all security researchers in December 2019. Prior to that, Apple’s bug bounty program was invitation-based and non-iOS devices were not included. Apple also increased the maximum size of the bounty from $200,000 per exploit to $1 million depending on the nature of the security flaw.
When submitting reports, researchers must include a detailed description of the issue, an explanation of the state of the system when the exploit works, and enough information for Apple to reliably reproduce the issue.
This year, Apple plans to provide vetted and trusted security researchers and hackers with “dev” iPhones, or special iPhones that provide deeper access to the underlying software and operating system that will make it easier for vulnerabilities to be discovered.
These iPhones are being provided as part of Apple’s forthcoming iOS Security Research Device Program, which aims to encourage additional security researchers to disclose vulnerabilities, ultimately leading to more secure devices for consumers.