Apple has paid a $100,000 (~Rs 75 lakh) bounty to a 27-year-old Indian researcher Bhavuk Jain for cracking a critical and zero-day vulnerability that he found within the 'Sign in with Apple' ability that is found on some websites and several third-party applications. The critical flaw, according to Jain, could have allowed hackers to break into an Apple user's account details who log into third-party apps like Dropbox, Spotify, Airbnb, Facebook-owned Giphy and more.
Launched in 2019, the "Sign in with Apple" feature allowed users to simply and quickly sign into third-party apps by sharing their Apple email IDs. Interestingly, when logging in, Apple used to authenticate a JWT (JSON Web Token) which used to contain the user's Apple ID email addresses as well. However, If the user decided to hide the Email ID, Apple generated its own user-specific Apple relay Email ID. That's where the bug existed.
According to Jain, he could request a JSON Web Token for any legitimate Apple account and the sign-in would be verified valid each time. This, Jain said, is a critical flaw that could allow a hacker to take over any account as he only needed to know the email addresses associated with an Apple ID to get a validated token and obtain access.
"The Sign in with Apple works similarly to OAuth 2.0. I found I could request JWTs (JSON Web Tokens) for any Email ID from Apple and when the signature of these tokens was verified using Apple’s public key, they showed as valid," Jain said. "This means an attacker could forge a JWT by linking any Email ID to it and gaining access to the victim’s account," he added.
According to Jain, this critical vulnerability may have had a long-lasting impact on hundreds and thousands Apple users as it could have allowed a full account takeover.
"This bug could have resulted in a full account takeover of user accounts on that third party application irrespective of a victim having a valid Apple ID or not," Jain said. It is worth noting that Apple has made 'Sign in With Apple' mandatory for a lot of developers since it is mandatory for applications that support other social logins.
While Apple is yet to release an official statement on the development, but Jain asserted that Apple carried out an investigation and patched this critical bug. The Cupertino-based tech giant also ensured there was no misuse or account compromise due to this vulnerability, following Jain's report.