Hacker paid $100,000 over 'Sign in with Apple' vulnerability

Sign In with Apple
Sign In with Apple (Image credit: iMore)

What you need to know

  • A hacker has been paid $100,000 by Apple after discovering a vulnerability in Apple's 'Sign in with Apple feature'.
  • The bug has now been fixed.
  • It could have resulted in the full takeover of user accounts.

A hacker has been paid $100,000 by Apple, after discovering a zero-day vulnerability affecting the Sign in With Apple feature on iOS.

Bhavuk Jain revealed his findings in a recent blog post:

What if I say, your Email ID is all I need to takeover your account on your favorite website or an app. Sounds scary, right? This is what a bug in Sign in with Apple allowed me to do.In the month of April, I found a zero-day in Sign in with Apple that affected third-party applications which were using it and didn't implement their own additional security measures. This bug could have resulted in a full account takeover of user accounts on that third party application irrespective of a victim having a valid Apple ID or not.

Sign in with Apple was developed by Apple to help users sign up for services using their Apple ID without having to fill in forms, verify emails, choose new passwords or give over their personal email addresses. Regarding the bug itself:

I found I could request JWTs for any Email ID from Apple and when the signature of these tokens was verified using Apple's public key, they showed as valid. This means an attacker could forge a JWT by linking any Email ID to it and gaining access to the victim's account.

In real terms, the vulnerability "could have allowed full account takeover" to occur, including on some third-party applications including Dropbox, Spotify, Airbnb, and Giphy, which might have been vulnerable to a full account takeover "if there weren't' any other security measures in place".

Thankfully, an Apple investigation into its logs "determined there was no misuse or account compromise due to this vulnerability" which has now been fixed.

Stephen Warwick
News Editor

Stephen Warwick has written about Apple for five years at iMore and previously elsewhere. He covers all of iMore's latest breaking news regarding all of Apple's products and services, both hardware and software. Stephen has interviewed industry experts in a range of fields including finance, litigation, security, and more. He also specializes in curating and reviewing audio hardware and has experience beyond journalism in sound engineering, production, and design.

Before becoming a writer Stephen studied Ancient History at University and also worked at Apple for more than two years. Stephen is also a host on the iMore show, a weekly podcast recorded live that discusses the latest in breaking Apple news, as well as featuring fun trivia about all things Apple. Follow him on Twitter @stephenwarwick9