A bug bounty hunter in India found an Apple security hole wide enough to drive a not-so-prototypical Mac truck through.
Or an iPhone, for that matter.
An Apple logo at an Apple Store.
‘Sign In With Apple’ is supposed to increase your online security and privacy by not revealing personal information when you sign up for accounts on websites or in apps. In fact, Apple requires that developers make it available as an option when they also include social sign-up capability from companies like Facebook or Google. Actually, however, it potentially opened up your online accounts to anyone who had your email address and was technical enough to post a simple request to the Apple ID servers.
At least until a bug bounty hunter in India found the bug, reported it to Apple, and received a $100,000 bug bounty.
Essentially, anyone could request a token for any email ID. Apple’s servers would then verify that token, so an attacker could gain access to any account you had linked to it.
“I found I could request JWTs for any Email ID from Apple and when the signature of these tokens was verified using Apple’s public key, they showed as valid,” Bhavuk Jain posted on his blog. “This means an attacker could forge a JWT by linking any Email ID to it and gaining access to the victim’s account.”
Jain is a respected bug hunter who has identified security vulnerabilities in services from Facebook, Google, Pinterest, and Yahoo, among other services. He found the bug in April, but Apple has since fixed it. According to Jain, Apple “did an investigation of their logs and determined there was no misuse or account compromise due to this vulnerability.”
Any site or service, however, that simply relied on Sign In With Apple and did not implement other security measures would have been vulnerable.
“The impact of this vulnerability was quite critical as it could have allowed full account takeover,” Jain says. “A lot of developers have integrated Sign in with Apple since it is mandatory for applications that support other social logins.”
Dropbox, Airbnb, and Spotify are just a few organizations that use the service.
“Sign in with Apple makes it easy for users to sign in to your apps and websites using their Apple ID,” Apple says on its developer site. “All accounts are protected with two-factor authentication for superior security.”
