Researcher found a security vulnerability with "Apple Login" option

Joanna Estrada
June 3, 2020

This feature allows Apple account holders to sing in to third part apps without having to share their email address.

Now, a new bug that could have critically affected the privacy of "Sign in with Apple" users has been discovered.

Apple will pay $100,000 or around Rs 75 lakh to Delhi-based security researcher Bhavuk Jain for reporting a critical security bug in the new "Sign in with Apple" feature.

"It allowed potential account takeovers on third party applications that use Sign in with Apple irrespective of the fact that they are an Apple user or not", he said in an interaction with The Times of India-GadgetsNow when asked about the severity of the bug. This, Jain said, is a critical flaw that could allow a hacker to take over any account as he only needed to know the email addresses associated with an Apple ID to get a validated token and obtain access.

The service's authentication process consists of the server generating a JSON Web Token (JWT) that contains secret information that the third-party application uses to confirm the identity of the signing-in user.

In order to authorise a user, Sign in with Apple uses a JWT (JSON Web Token) or a code generated by Apple's servers.

Bhavuk Jain disclosed the flaw to Apple which led to an award from Apple's bug bounty programme.

"For this vulnerability, I was paid $100,000 by Apple under their Apple Security Bounty programme", he announced.

The vulnerability is believed to affect third-party apps which were using Apple's authentication but didn't deploy any additional security measures of their own.

"The Sign in with Apple works similarly to OAuth 2.0".

The researcher confirmed The Hacker News that the vulnerability worked even if you choose to hide your email ID from the 3rd-party services and can also be exploited to sign up a new account with the victim's Apple ID.

According to the blog post by Jain, it was found that while signing in with Apple, users are required to log-in to their Apple account, which is the first step.

"I found I could request JWTs for any Email ID from Apple, and when the signture of these tokes was verified using Apple's public key, the showed as valid".

"This means an attacker could forge a JWT by linking any Email ID to it and gaining access to the victim's account", Jain noted. Of course, the company has patched the flaw, and an internal audit of their logs has revealed no signs of compromised accounts. "A lot of developers have integrated Sign in with Apple since it is mandatory for applications that support other social logins", Jain said, adding that some examples include Dropbox, Spotify, Airbnb and Giphy.

Other reports by Click Lancashire

Discuss This Article