The exploit was demonstrated on a fully-patched Mac OS 10.4.9 system running Apple's Safari browser.
"You can steal cookies, you can steal browser cache, you can install malware. It is definitely serious," said independent security researcher Tom Ferris.
Users can defend against the vulnerability by disabling Java within the browser or by removing the QTJava.jar extension.
Dai Zovi wrote the exploit for a contest at the CanSecWest conference in which researchers were challenged to break into a pair of fully-patched MacBook Pro laptops.
The process of finding the vulnerability and writing the attack took Dai Zovi just nine hours.
"I began looking for a browser-based vulnerability around 10pm on Thursday night, had found one by around 3am, and had written a reliably working exploit by 7am," he told vnunet.com in an email interview.
As part of the contract for collecting the reward, Dai Zovi agreed to hand over the handling and development rights to the vulnerability to Tipping Point.
The company then immediately contacted Apple to report the flaw and added a fix to its own security software.
Apple did not return a request for comment. The company has a policy of not confirming or discussing vulnerabilities until after a fix has been issued.
Latest Tesla news: Tesla stock price tanks amid reports of 'widening probe' by SEC and claims the base Model 3 loses money
SEC 'probe' takes its toll on Tesla as new research suggests that Tesla loses $6,000 on every $35,000 Model 3
10nm Cannon Lake Core i3-8121U CPUs make a rare outing with Intel's NUC mini PC
'Notorious' Australian child hacker thought he had executed 'flawless' hack
The former employee says that Tesla fired him for bringing the accusations to management internally