$100,000 Bounty Zero-day Bug in “Sign in with Apple” Let Hackers Take Over the Users Accounts Remotely
Last year at WWDC, Apple presented one of its great innovations that is “Sign in with Apple.” But, recently, an Indian Security researcher has found a critical security flaw in this feature, which allows the hackers to gain control of a user account in third-party applications and services by just having their Email ID.
The ‘Sign in with Apple’ security feature was launched by Apple to be the classic feature to keep secure all its users’ data and privacy by logging into apps without revealing the email, but now this feature has potentially exposed the user data to the hackers.
This security flaw in ‘Sign in with Apple’ feature allows the hackers to circumvent the system authentication and steal the user accounts for specific services. But, you don’t have to worry, as Apple has already patched this flaw by paying about $100,000 as a reward to the Indian security researcher, Bhavuk Jain, who notified Apple about this vulnerability.
In an interview, the security researcher from India, Bhavuk Jain, revealed that the vulnerability resided in the login system. More specifically, Apple validates a client-side user before initiating a request on Apple’s authentication servers.
Here, one a user is authenticated through the system, the server generates a JWT, that is, a JSON Web Token that contains secret information that the app uses to confirm the identity of the user who logs in.
Moreover, Bhavuk has also notified, though Apple asked its users to log into their Apple account, before initiating the request, it will not validate if the same person requests the JWT in the next step from the server.
That’s why the missing validation in that part of the process could have allowed an attacker to provide a separate Apple ID belonging to a victim, tricking Apple servers into generating a useful JWT that is valid to log in with. Apart from this, Bhavuk has marked this flaw as critical, as it could have allowed the attackers to take a complete take over of the account.
Here’s what Bhavuk Jain has explained, “I could request JWTs for any Apple email ID, and when I verified the signature of those tokens using the Apple’s public key, they were shown to be valid. This means an attacker can easily spoof JWTs by linking any Email ID to it and gain access to the victim’s account.”
Moreover, Apple investigated the records of its servers and has confirmed that the flaw was not exploited by the hackers to compromise any account, in short, no potential abuse of the flaw has been detected.