Heads up Apple users! A researcher found a vulnerability that allowed for an attacker to hack accounts simply via email. The vulnerability existed in the “Sign in with Apple” feature, that Apple has now fixed.
Vulnerability In “Sign In With Apple” Feature
Reportedly, security researcher Bhavuk Jain caught a serious bug threatening Apple users. Jain has shared the details of his findings in a blog post.
Briefly, he found a zero-day vulnerability in the “Sign in with Apple” feature. Exploiting the bug could let an adversary take over any account without having the victim to have a valid Apple ID.
The bug existed in how Apple’s Sign-in feature worked with third-party apps. Usually, the feature allows users to share their Apple email IDs with the apps. However, if a user doesn’t want that, Apple generates an Apple relay Email ID from its end for the user.
Following authorization, Apple generates JSON web token (JWT) using the same relay Email ID to let the user login to the third-party app. That’s where the bug existed. Due to a lack of validation, anyone could request the JWT with any Email ID.
As stated by the researcher,
I found I could request JWTs for any Email ID from Apple and when the signature of these tokens was verified using Apple’s public key, they showed as valid. This means an attacker could forge a JWT by linking any Email ID to it and gaining access to the victim’s account.
Since the bug existed in this main feature, it virtually affected all third-party applications that offered this option. These apps include popular services as well, such as Airbnb, Spotify, Dropbox, and Giphy.
Apple Paid A Huge Bounty
Though, the researcher has not shared a specific timeline of events involved in this bug disclosure he did however reveal that he found the bug in April.
Upon discovering the vulnerability, the researcher reached out to Apple to report the flaw. Following his report, Apple worked on a fix for this bug. Also, they made sure no active exploitation of the flaw after going through their logs.
Moreover, they also awarded a bounty of $100,000 to Jain for discovering and responsibly disclosing the bug.
Let us know your thoughts in the comments.