Developer and security researcher Bhavuk Jain received $ 100,000 from Apple after reporting a serious security vulnerability in the “Sign in with Apple” sign-in service. Apple has meanwhile been able to fix the error.
Now the details of a recently fixed zero-day vulnerability in the “Sign in with Apple” login have been released: A vulnerability allowed an attacker to take control of a user’s account. Since “Sign in with Apple” is associated with the Apple ID, this could have had devastating consequences for Apple users.
The vulnerability discoverer, Bhavuk Jain, has now explained this in a blog post. Jain had shared his findings with Apple in April. Now that the vulnerability has been closed, he has made all information public.
The Login Procedure Is Now Changed
The new authentication method “Login to Apple” has been presented as a more privacy-friendly alternative to website and app login systems, as no further personal data has to be transferred, and started with iOS 13 last autumn. Apps and services that offer login options with Facebook or Google accounts can use the Apple alternative on iPhone or Mac.
Jain explained the problem. Logging in to Apple works either with a JSON Web Token (JWT) or with a code generated by Apple’s servers, the latter being used to generate a JWT if it does not exist. Apple creates a JWT to log in that contains the user’s email ID and is used by the third-party application to log in to the user.
Jain discovered that it is possible to request a JWT for any email ID. Once the token’s signature is verified with Apple’s public key, it is considered valid. In fact, an attacker could use this procedure to create a token and gain access to the victim’s account. Apple has therefore changed the procedure so that the vulnerability is no longer available. According to an investigation by the Apple security team, the vulnerability has so far not been used in any known attack.