The tech giant rewards the
bug bounty hunter who found the severe flaw in its login mechanism with
US$100,000
A bug bounty hunter has
disclosed a severe flaw in Apple’s “Sign in with Apple” feature that, if
exploited, could have allowed an attacker to hijack people’s accounts on major
third-party services. According to Bhavuk Jain, any accounts on third-party apps and websites
that used the authentication method but did not implement any additional
security measures of their own were at risk.
Jain discovered the bug in
April and went on to report it to Apple, which rewarded him with US$100,000
under the company’s Security Bounty program. The Indian bug bounty hunter said that Apple investigated their logs and
didn’t find records of any account compromise or misuse stemming from the
vulnerability. The bug has since been patched, although
Apple has yet to comment
publicly on Jain’s findings.
Here’s my first 6 digit bounty
from @Apple. Blog post will be up next week. #bugbounty
Jain notes that there are
two ways “Sign in with Apple” authenticates users – either by using a JSON web
token (JWT) or by Apple’s servers generating a code, which then generates a
JWT. When signing in, the user then has the option to either share their Apple
ID associated mail with the third-party app or not.
In the latter scenario, a
user-specific Apple relay Email ID is generated. Once authorization is
successful, Apple generates a JWT containing the Email ID, which is used by the
third-party app to log the user in. Due to missing validation, however, there
was a way to subvert the process involving the JWT to hijack a user’s account –
and it only required knowing the target’s email ID.
“I found I could request
JWTs for any Email ID from Apple and when the signature of these tokens was
verified using Apple’s public key, they showed as valid. This means an attacker
could forge a JWT by linking any Email ID to it and gaining access to the
victim’s account,” said Jain.
The Cupertino tech giant
requires developers to add a “Sign in with Apple” option whenever other forms
of social logins (Facebook, Google) are available. The feature is used by
countless major services, such as Spotify, Airbnb, Adobe, eBay, and Dropbox, to
name a few.
Earlier this year, a pair of severe security
vulnerabilities was
found in iOS Mail app, which comes pre-installed on all iOS devices. The flaws
have been since patched and an update has been rolled out to the public.
Full
artyicle on