Apple account takeover bug nets researcher US$100000

Yolanda Curtis
June 3, 2020

Now, a new bug that could have critically affected the privacy of "Sign in with Apple" users has been discovered.

The discovery earned New Delhi-based programmer Bhavuk Jain $100,000, he said, highlighting the critical nature of the flaw and the big payouts Apple has been offering through a bug bounty program it expanded previous year.

Security researcher Bhavuk Jain discovered that this mechanism is flawed, such that it was possible for an attacker to hijack user accounts with web properties that relied on "Sign in with Apple". However, despite a requirement for users to log into their Apple accounts, Apple servers did not validate if the request for the JWT was from the same user during the next step. (NASDAQ: DBX), Spotify Technology SA (NYSE: SPOT), Airbnb, and Giphy, owned by Facebook Inc (NASDAQ: FB).

In April this year, Delhi-based bug bounty hunter Bhavuk Jain found that the Sign in with Apple system could easily be tricked into handing over Javascript Object Notation (JSON) authentication tokens for any users' email addresses.

These applications were not tested but remained vulnerable to a "full account take over if there weren't any other security measures in place while verifying a user".

"The impact of this vulnerability was quite critical as it could have allowed a full account takeover". Although many high-profile companies have bounty programmes, more substantial bounties aren't paid out very often since they are reserved for significant and critical vulnerabilities. This will create a JWT for logging in the user. An investigation by Apple's security team determined the vulnerability has not been used in any attacks.

According to Jain, the "Sign in with Apple" works similarly to "OAuth 2.0".

"I found I could request JWTs (JSON Web Tokens) for any Email ID from Apple and when the signature of these tokens was verified using Apple's public key, they showed as valid", Jain said.

The Hacker News reports that malicious actors could exploit this vulnerability even if users chose to hide their Apple email ID from third party services and that it could also be used to sign up a new account with the victim's Apple ID. As a result, an attacker could forge a JWT by linking any Email ID to it and this would grant them access to the victim's linked accounts. Of course, the company has patched the flaw, and an internal audit of their logs has revealed no signs of compromised accounts.

"Sign in with Apple won't track or profile you as you use your favorite apps and websites, and Apple retains only the information that's needed to make sure you can sign in and manage your account", Apple explains in a support bulletin.

Other reports by iNewsToday