A new zero-day vulnerability was recently pointed out in Apple’s “sign in with Apple” authentication page. The man from Telangana, India now claims to have been paid $100,000 (about Rs 75 lakh) by the US-based tech giant under its Security Bounty program.
The vulnerability affects third-party apps that use Apple’s authentication, but do not have any security measures of their own. Once exploited, the vulnerability would allow attackers to take full control over user accounts on third-party applications.
Watch: Weekly News Roundup – May 29
Bhavuk Jain, the programmer, also added as per a report by LiveMint that Apple conducted an investigation of its logs after discovering the vulnerability and found that it had not been misused and that no accounts were compromised because of it. Jain further explains in his blog that the “sign in with Apple” function works similar to Oauth 2.0, by authentication a user by either using a JWT or a code generated by Apple’s own server.
Jain discovered that attackers could actually forge a JWT by linking any Email ID to it and gain access to a user’s app account. The attackers could have requested JWTs for any Email ID from Apple. Further, when the signature of these tokens were verified using Apple’s public key, they showed as valid.
Sign in with Apple
Since Apple made it mandatory for apps that did not support third-party logins, many developers have made use of the “sign in with Apple” service for their apps. The feature allows users to sign in to apps and websites by using their Apple IDs instead of their social media IDs.
The service became instantly popular. Unlike various third-party sign-ins, Apple’s authentication allowed users the option to not share their Email IDs, instead of generating a random Email ID for them. This helped strengthened user privacy by making sure that the real Email IDs did not fall into the wrong hands. This also made users browsing through the web feel less exposed.