Apple has paid a $ 100,000 reward to a developer for discovering a serious flaw in the Login with Apple access system .
This bug could have been exploited by malicious users to seize a user’s account on websites and applications that use that system.
According to Bhavuk Jain, the developer who found the bug, the bug was related to how Apple validated users using “Sign in with Apple . “
The login service is designed to limit the amount of information collected by applications and websites compared to other login services, such as Facebook and Google. One of the biggest benefits of “Sign in with Apple” is the ability to hide your email address from the third-party application or service.
The source of the security breach
To authorize a user, log in with Apple uses a JWT (JSON Web Token) or code generated by Apple’s servers. By authorizing, Apple gives users the option to share or hide their Apple ID with the third-party app. If users choose not to share their email with a specific app, Apple generates a specific Apple email ID for that service.
After authorization, depending on what the user chooses, Apple generates a JWT that contains the email ID. This ID is later used by the third-party application to start the user’s session.
This is where the failure occurs. Jain claims that in April he discovered that he could request JWT for any Apple email ID.
When the signature of these tokens was verified using Apple’s public key, they were shown to be valid. This means that an attacker could spoof a JWT by linking any email ID to it and gaining access to the victim’s account, ”the developer explained in a blog.
Jain found that this was because although Apple asked users to connect to their Apple account before initiating the authorization request, it did not validate if the same person requested a JWT in the next step of their authentication server.
The vulnerability affected third-party applications that used this system and did not implement their own additional security measures.
Attackers could exploit this vulnerability even if users decided to hide their Apple email ID from third-party services and that it could also be used to register a new account with the victim’s Apple ID.
“The impact of this vulnerability was quite critical, as it could have allowed for a complete takeover. Many developers have integrated login with Apple, as it is mandatory for applications that support other social media logins, ” says Jain. “These applications were not tested but could have been vulnerable to a complete takeover of an account if there had been no other security measures when verifying a user.”
Jain explains that Apple conducted an investigation and determined that there had been no misuse or compromise of any accounts due to the vulnerability. Apple has patched the vulnerability.
