The researcher found that he could gain unauthorized camera access via a shared iCloud document that could also “hack every website you’ve ever visited.”
https://threatpost.com/apple-bug-bounty-mac-webcam-hack/178114/
Apple’s personal item-tracker devices can be used to deliver malware, slurp credentials, steal tokens and more thanks to XSS.
https://threatpost.com/apple-airtag-zero-day-trackers/175143/