Details of a now-corrected “Sign in with Apple” vulnerability that could have allowed an attacker to take control of a user’s account have been revealed.
In April, researcher Bhavuk Jain discovered a critical vulnerability of Login with Apple that could have led to the acquisition of some user accounts. The bug was specific to third-party apps that used the feature and didn’t implement additional security measures .
Jain notes that Log in with Apple works by authenticating a user via a JWT (JSON Web Token) or a code generated by the Apple server . The Colossus of Cupertino therefore offers users the possibility to share the email linked to their Apple ID or a private forwarding email address, which creates a JWT used to access.
Jain then discovered that, thanks to the bug, it was possible to request a JWT for any email ID by passing the validation process using the Apple public key. By doing so, an attacker could create a JWT through this process and gain access to the victim’s account.
The impact of this vulnerability was rather critical as it could have allowed for full account acquisition. Many developers have integrated Sign in with Apple into their apps as it is mandatory for applications that support other social logins. To name a few who use Sign in with Apple: Dropbox, Spotify, Airbnb, Giphy (now acquired by Facebook ).
According to Jain, Apple conducted an investigation and concluded that no accounts were compromised using this method before the vulnerability was corrected. Jain received $ 100,000 from Apple as part of his Bounty security program for reporting the bug.