If you’ve used the “Sign in with Apple” feature on your iPhone before, you might be interested to know that Indian web developer Bhavuk Jain recently reported a (now-patched) Zero-Day bug through the Apple Bug Bounty Program. The vulnerability, if left unpatched, could have made possible for hackers to take control of Apple accounts through the “Sign in with Apple” feature while they were logging into third-party apps like Spotify, Dropbox, etc.
“This bug could have resulted in a full account takeover of user accounts on that third-party application irrespective of a victim having a valid Apple ID or not,” Jain said in his blog post on May 30. All a hacker would need, Jain said, was your email ID.
Basically how it worked was through creating a “JSON Web Token” for authentication, which contains the email ID of the user.
“I found I could request JWTs for any Email ID from Apple and when the signature of these tokens was verified using Apple’s public key, they showed as valid,” Jain said. “This means an attacker could forge a JWT by linking any Email ID to it and gaining access to the victim’s account.”
This was a huge security flaw, since the ‘Sign in with Apple’ feature is mandatory for applications that allow social logins. Luckily, Apple has now patched this issue and reported that there were no accounts compromised due to this vulnerability.
The Apple Bug Bounty Program is how bounty hunters report a problem to Apple and earn rewards for their aid. Apple bug report rewards are known to go high (for good reason!) and this one was no different. “For this vulnerability, I was paid $100,000 by Apple under their Apple Security Bounty program,” he said, which is approximately ₹75.5 lakh.
Whoa! That’s a lot of money, but it’s undoubtedly a well earned reward for Bhavuk Jain. Well done!