A critical security vulnerability allowed attackers to gain access to accounts that used “Sign in with Apple” – now Apple has fixed the bug.
The vulnerability was discovered by Bhavuk Jain, a security researcher, and reported as part of Apple's Bug Bounty program. According to the report:
Bhavuk noted that while Apple requires users to sign in to their Apple account before triggering the request, it was not validated when the same person requested JSON Web Token (JWT) from their authentication server in the next step.
Therefore, the lack of validation in this part of the mechanism could have allowed an attacker to provide a separate Apple ID of a victim and thus trick Apple servers into generating JWT payload valid to log into a third-party service using the victim's identity.
$100,000 reward for the find
Therefore, accounts for third-party services created using "Sign in with Apple". Applications that have additional security measures for verification are excluded. Jain explained included:
The impact of this vulnerability was quite critical as it could have allowed a complete takeover of the accounts. Many developers have integrated Sign in with Apple as it is mandatory for applications that support other social logins. To name a few that use Sign in with Apple - Dropbox, Spotify, Airbnb, Giphy (now acquired by Facebook)," Jain wrote.
The security researcher received a total of 100,000 US dollars as a reward for this discovery. Apple has now reportedly closed the security hole. According to the company, however, the vulnerability was not exploited - at least there is no evidence of this. It should also be emphasized at this point that the Apple account itself was never at risk. (Photo by manae / Bigstockphoto)
