A security researcher discovered seven zero-day vulnerabilities in Mobile Safari and exploited them to hijack an iPhone camera.

The iPhone camera trick earned the investigator a $ 75,000 check from Apple.

Apple fixed the exploit through a Safari update earlier this year.

Visit the BGR home page for more stories.

Apple recently paid a white-hat hacker $ 75,000 after it discovered a series of zero-day vulnerabilities that could have allowed a malicious actor to gain access to the camera on a user's iPhone or MacBook.

Originally brought to light through Forbes, a former Amazon security engineer named Ryan Pickren was curious to explore and find possible security loopholes in the iPhone.

The report says in part:

During December 2019, Pickren decided to test the notion that "bug searching is about finding assumptions in the software and violating those assumptions to see what happens." He chose to dig deeper into Apple Safari for iOS and macOS, to "forge the browser with obscure corner cases,quot; until strange behavior was discovered. Pickren focused on the camera's security model, which he admits was "pretty intense."

In fact, Apple actually locks the iPhone camera and requires explicit user permission every time a third-party app wants to access it. However, Pickren found that explicit permission is not required when the request comes directly from another Apple app.

In turn, Pickren went to work and began searching for vulnerabilities in Mobile Safari that would allow him to access the iPhone's camera. Finally, Pickren found not one, but seven! Zero-day vulnerabilities in Mobile Safari. From there, Pickren managed to chain three of them together and gain access to the iPhone's camera.

The vulnerabilities involved the way Safari parsed the Uniform Resource Identifiers, managed web sources, and initialized secure contexts. Yes, this involved tricking a user into visiting a malicious website. Still, that website could directly access the camera, provided you've previously relied on a video conferencing site like Zoom, for example. "A bug like this shows why users should never feel completely confident that their camera is secure," Pickren said, "regardless of operating system or manufacturer."

Pickren told Apple about his findings late last year, and the security issue was finally fixed in late January with a Safari update.

Interestingly, Apple, in stark contrast to companies like Microsoft and Google, has historically avoided paying researchers for discovering mistakes. All of that changed a few years ago when Apple, in August 2016, instituted its first "bug reward,quot; program.

Naturally, the payment that Apple offers for undisclosed errors varies depending on the severity and type of application involved. For example, Apple will pay $ 100,000 for an error related to the lock screen detour. That number jumps to $ 250,000 for an attack capable of extracting user data. Apple's largest payout is $ 1,000,000, a prize reserved for anyone who can implement an advanced network attack without user interaction.

The matrix below highlights some of the payment options: