As pointed out by Ryan Pickren on his blog, a vulnerability inside Safari allowed websites to access the iPhone’s cameras without users knowledge.
Beside this, the vulnerability also allowed malicious website to sneak and pretend to be trusted website on Desktop View inside Safari on Mac, iOS and iPadOS.
Even worse, on a secure website, there might also be advertisements that could exploit users’ privacy or hackers to use their “fraudulent identity” to invade and steal personal datas.
This security flaw was possible because the default settings were set to be allow trusted websites to access camera and microphone without a manual permission that had to be granted by the user, therefore, the malicious websites has to be disguised as video-conferencing websites such as Skype and Zoom, and the users wouldn’t be aware of that.
Apple has offered a reward of $75,000 for leaking the vulnerability to them, as long as he reported it and found it that in falls into the “Network Attack without User Interaction: Zero-Click Unauthorized Access to Sensitive Data” category, which Apple usually offers bounties for on the developer website.