AppleInsider is supported by its audience and may earn commission as an Amazon Associate and affiliate partner on qualifying purchases. These affiliate partnerships do not influence our editorial content.
A pair of security researchers have successfully hacked a Mac belonging to billionaire film producer Jeffrey Katzenberg — proving that owning a macOS device isn’t an automatic defense against cyber threats.
Rachel Tobac, a social engineer and CEO of SocialProof Security, successfully carried out the attack on the unspecified macOS device. According to Tobac, the attack was a demonstration for identify theft protection firm Aura — a company that Katzenberg invests in.
We just hacked a billionaire!
Got consent 1st then got to work hacking Jeffrey Katzenberg. @Evantobac & I stole his pics, emails, and contacts then turned on his mic (without an indicator light) & listened to his phone calls.
Here’s the video on how we hacked a billionaire: pic.twitter.com/t63JJQccIr
— Rachel Tobac (@RachelTobac) March 16, 2022
Tobac leveraged a since-patched vulnerability and social engineering skills to get Katzenberg to click on a phishing link on a spoofed website. Once Katzenberg did so, she was able to steal photos, emails, and contacts from the Mac.
Additionally, the hacker was able to turn on the Mac’s microphone and eavesdrop on Katzenberg without triggering the build-in macOS microphone indicator.
Tobac’s husband Evan — also a hacker and security researcher — published another Twitter thread with details on the macOS vulnerability.
More specifically, the exploit leveraged the underlying bug to carry out an attack using iCloud links and Safari’s sharing preferences. Importantly, the attack only worked because Katzenberg’s Mac was out of date by several updates.
This attack worked because Jeffrey’s OS/browser were out of date by close to 4 months.
4 months was enough for detailed descriptions of the vulnerabilities to become public, for me to read about them and incorporate them into an attack.
This is a good segue into mitigations.
— Evan Tobac (@evantobac) March 16, 2022
According to both Tobacs, some mitigations for the specific attack include keeping machines patched with the latest security updates, using at least two methods of verification for communications, and avoiding clicking on suspicious email links — particularly if they are sent in an urgent manner.