Apple had announced a ‘Sign in with Apple’ feature in 2019 that basically allows users to sign in to third-party apps and websites using Apple ID.
Apple is said to be one of the most secure platforms, however, a new security flaw could have allowed hackers to fully take over any account linked to it. The new critical flaw was reported by a 27-year-old Bhavuk Jain.
Apple has said to fix the issue and it was rewarded Jain a whopping $100,000 (approx. Rs 75 lakh) to the Indian developer under its bug bounty programme. Apple had announced a ‘Sign in with Apple’ feature in 2019 that basically allows users to sign in to third-party apps and websites using Apple ID.
The feature is said to be private and secure as compared to other conventional methods of sign-in via Google and Facebook. Users had an option to not disclose their Apple ID for signing up to third-party apps or websites. However, the feature is marred by a zero-day vulnerability, claims the researcher.
Jain said that the vulnerability allowed hackers to bypass the authentication and take over the user accounts on third-party apps that used the ‘Sign in with Apple’ feature. “The Sign in with Apple works similarly to OAuth 2.0. There are two possible ways to authenticate a user by either using a JWT (JSON Web Token) or a code generated by the Apple server. The code is then used to generate a JWT,” Jain said in a blog post.
Jain said that Apple gives an option to a user to either share the Apple Email ID or not. If the user decides to hide the Email ID, the company generates its own user-specific Apple Email ID and it then creates a JWT, which contains the email ID to log in a user to a third-party app.
“I found I could request JWTs for any Email ID from Apple and when the signature of these tokens was verified using Apple’s public key, they showed as valid. This means an attacker could forge a JWT by linking any Email ID to it and gaining access to the victim’s account,” he further added. He further added that Apple did an investigation of their logs and servers and revealed that there was no misuse or account compromised due to this vulnerability.
You might like this