Security researcher Ryan Pickren reveals that in December he discovered three vulnerabilities in Safari that together made it possible to take over both the camera and the microphone on virtually any iOS or macOS device, reports Wired.
All that was needed was for the victim to click on a malicious link that could then be converted to, for example, "Skype" and obtain all the permissions that the user had previously given to Skype, such as access to the camera and microphone.
"An attacker could just start taking pictures of you or turn on your microphone or even screen-share," Pickren said. "I just kind of hammered the browser with really weird cases until Safari got confused."
Having made the discovery, Pickren dutifully alerted Apple to the vulnerabilities, which were then patched in January and March. He says he was paid a bounty of $75,000 (about £61,000) for the successful bug hunt.
The company's grudging acceptance of the role of white-hat security researchers has seen its bounty programme expand, and while instances like this make for alarming headlines they improve security overall.