‘Sign in with Apple’ vulnerability find earns $100k bug bounty
Forged requests flaw leads to six-figure payout
A security researcher has scored a $100,000 bug bounty after uncovering flaws in the ‘Sign in with Apple’ authentication technology.
Apple’s authentication feature is used by third-party applications as a login mechanism. Users can sign into accounts such as Dropbox, Spotify, Airbnb, and others through their Apple ID, avoiding the need to set up yet another login and password combination.
Security researcher Bhavuk Jain discovered that this mechanism is flawed, such that it was possible for an attacker to hijack user accounts with web properties that relied on ‘Sign in with Apple’.
Jain demonstrated a flawed web authentication mechanism rather than a confirmed ability to take over accounts.
“These applications were not tested but could have been vulnerable to a full account takeover if there weren’t any other security measures in place while verifying a user,” according to Jain.
Token security
‘Sign in with Apple’ uses either a JSON Web Token (JWT) or a code generated by the Apple server in order to authenticate app visitors.
Users have the option, while authorizing, of hiding their Apple Email ID. If the user decides to hide this ID, Apple generates its own user-specific Apple relay Email ID.
After successful authorization, Apple creates a JWT which contains this Email ID, a token subsequently used by the third-party app to log in a user.
Forging ahead
After examining the JWT payload, Jain figured out a way to forge this token, allowing him to hack into a targeted account, as explained in a technical blog post.
“I found I could request JWTs for any Email ID from Apple and when the signature of these tokens was verified using Apple’s public key, they showed as valid,” Jain writes.
“This means an attacker could forge a JWT by linking any Email ID to it and gaining access to the victim’s account.”
“The impact of this vulnerability was quite critical as it could have allowed full account takeover,” he added.
“A lot of developers have integrated ‘Sign in with Apple’ since it is mandatory for applications that support other social logins.”
Read more of the latest bug bounty news
According to the security researcher, staff at Apple went through their logs and determined there was “no misuse or account compromise due to this vulnerability”.
Apple’s notification that all developers need to implement ‘Sign in with Apple’ in their apps if they are using some kind of social logins prompted Jain to examine the technology more closely, he told The Daily Swig.
“This led me to poke around ‘Sign in with Apple’ and to understand how it works,” he explained. “That’s when I found the vulnerability.”
READ MORE Google Cloud security find earns South American researcher $31k bug bounty payout
Gloss