What you need to know
- A hacker has been paid $100,000 by Apple after discovering a vulnerability in Apple's 'Sign in with Apple feature'.
- The bug has now been fixed.
- It could have resulted in the full takeover of user accounts.
A hacker has been paid $100,000 by Apple, after discovering a zero-day vulnerability affecting the Sign in With Apple feature on iOS.
Bhavuk Jain revealed his findings in a recent blog post:
Sign in with Apple was developed by Apple to help users sign up for services using their Apple ID without having to fill in forms, verify emails, choose new passwords or give over their personal email addresses. Regarding the bug itself:
In real terms, the vulnerability "could have allowed full account takeover" to occur, including on some third-party applications including Dropbox, Spotify, Airbnb, and Giphy, which might have been vulnerable to a full account takeover "if there weren't' any other security measures in place".
Thankfully, an Apple investigation into its logs "determined there was no misuse or account compromise due to this vulnerability" which has now been fixed.
Master your iPhone in minutes
iMore offers spot-on advice and guidance from our team of experts, with decades of Apple device experience to lean on. Learn more with iMore!
Stephen Warwick has written about Apple for five years at iMore and previously elsewhere. He covers all of iMore's latest breaking news regarding all of Apple's products and services, both hardware and software. Stephen has interviewed industry experts in a range of fields including finance, litigation, security, and more. He also specializes in curating and reviewing audio hardware and has experience beyond journalism in sound engineering, production, and design.
Before becoming a writer Stephen studied Ancient History at University and also worked at Apple for more than two years. Stephen is also a host on the iMore show, a weekly podcast recorded live that discusses the latest in breaking Apple news, as well as featuring fun trivia about all things Apple. Follow him on Twitter @stephenwarwick9