Apple has paid developer Bhavuk Jain a $100,000 bounty for finding a serious bug in its “Sign in with Apple” login system that could have allowed malicious actors to take over a user’s account on specific websites and apps.
According to Jain, the bug was related to the way that Apple was validating users who used Sign in with Apple. The login service, which was released by the company last year and can be used with Apple IDs, is designed to limit the amount of tracking enabled by other login services, such as Facebook and Google. One of the biggest selling points of Sign in with Apple is the ability to hide your email address from the third party app or service.
In order to authorize a user, Sign in with Apple uses a JWT (JSON Web Token) or a code generated by Apple’s servers. While authorizing, Apple gives users the option to share or hide their Apple ID with the third party app. If users choose not to share their email with a specific app, Apple generates a user-specific Apple email ID for that service.
After successful authorization, depending on what the user chooses, Apple produces a JWT that contains the email ID. This ID is subsequently used by the third party app to log a user in.
This is where the bug comes in. Jain said that in April he found that he could request JWTs for any Apple email ID.
“When the signature of these tokens was verified using Apple’s public key, they showed as valid. This means an attacker could forge a JWT by linking any email ID to it and gaining access to the victim’s account,” the developer explained in a blog.
Per the Hacker News, Jain found that this was because although Apple asked users to log in to their Apple account before initiating the authorization request, it was not validating if the same person was requesting a JWT in the next step from its authentication server.
The vulnerability affected third party applications that were using it and didn’t implement their own additional security measures.
The Hacker News reports that malicious actors could exploit this vulnerability even if users chose to hide their Apple email ID from third party services and that it could also be used to sign up a new account with the victim’s Apple ID.
“The impact of this vulnerability was quite critical as it could have allowed full account takeover. A lot of developers have integrated Sign in with Apple since it is mandatory for applications that support other social logins,” Jain said, adding that some examples include Dropbox, Spotify, Airbnb and Giphy. “These applications were not tested but could have been vulnerable to a full account takeover if there weren’t any other security measures in place while verifying a user.”
Nonetheless, Jain said that Apple had carried out an investigation and determined that there had been no misuse or account compromise due to the vulnerability. Whew. Per various outlets, Apple has patched the vulnerability.
It’s nice to see that even though it feels like the world is a hot mess right now, there’s still some good work going on.