What you need to know
- A hacker has been paid $100,000 by Apple after discovering a vulnerability in Apple's 'Sign in with Apple feature'.
- The bug has now been fixed.
- It could have resulted in the full takeover of user accounts.
A hacker has been paid $100,000 by Apple, after discovering a zero-day vulnerability affecting the Sign in With Apple feature on iOS.
Bhavuk Jain revealed his findings in a recent blog post:
What if I say, your Email ID is all I need to takeover your account on your favorite website or an app. Sounds scary, right? This is what a bug in Sign in with Apple allowed me to do.
In the month of April, I found a zero-day in Sign in with Apple that affected third-party applications which were using it and didn't implement their own additional security measures. This bug could have resulted in a full account takeover of user accounts on that third party application irrespective of a victim having a valid Apple ID or not.
Sign in with Apple was developed by Apple to help users sign up for services using their Apple ID without having to fill in forms, verify emails, choose new passwords or give over their personal email addresses. Regarding the bug itself:
I found I could request JWTs for any Email ID from Apple and when the signature of these tokens was verified using Apple's public key, they showed as valid. This means an attacker could forge a JWT by linking any Email ID to it and gaining access to the victim's account.
In real terms, the vulnerability "could have allowed full account takeover" to occur, including on some third-party applications including Dropbox, Spotify, Airbnb, and Giphy, which might have been vulnerable to a full account takeover "if there weren't' any other security measures in place".
Thankfully, an Apple investigation into its logs "determined there was no misuse or account compromise due to this vulnerability" which has now been fixed.