Indian developer reports critical flaw in Sign in with Apple; gets nearly Rs 75 lakh in reward

By: |
Published: June 1, 2020 7:57 AM

Apple had announced Sign in with Apple in 2019 to allow users (with an Apple ID) to simply and quickly sign into third-party apps and websites.

appleApple has since fixed the issue. (Photo credit: Reuters)

A full-stack developer from India apparently found a critical flaw in “Sign in with Apple” account authentication in April that could have potentially allowed hackers to fully take over any account linked to it. 27-year-old Bhavuk Jain claimed in a blog post that he had reported the bug to Apple before disclosing it to the public on Saturday. Apple has since fixed the issue, and paid him $100,000 (nearly 75 lakh Rupees) as part of the Apple Security Bounty program, he added.

Apple had announced Sign in with Apple in 2019 to allow users (with an Apple ID) to simply and quickly sign into third-party apps and websites, its main USP being that it was supposed to be more private and secure than more conventional sign-ins via Google and Facebook. While social sign-ins may be used to collect users’ personal data, Sign in with Apple promised a completely anonymous approach. You could, for instance, sign up with apps and services without disclosing your Apple ID.

As it turns out, the whole system was marred by a zero day vulnerability, according to Jain, that could have allowed anybody with your email address and the technical know-how to spoof the Apple ID servers and gain access to all your online accounts. This was especially true for accounts linked to apps and websites that did not deploy any security measures of their own.

“The Sign in with Apple works similarly to OAuth 2.0. I found I could request JWTs (JSON Web Tokens) for any Email ID from Apple and when the signature of these tokens was verified using Apple’s public key, they showed as valid,” Jain said. “This means an attacker could forge a JWT by linking any Email ID to it and gaining access to the victim’s account.”

Apple has made Sign in with Apple “mandatory” for all all applications that support other social logins. Dropbox and Spotify are two examples. “The impact of this vulnerability was quite critical as it could have allowed full account takeover,” Jain said.

But more importantly, Apple apparently “did an investigation of their logs and determined there was no misuse or account compromise due to this vulnerability.” Apple is yet to publicly acknowledge the flaw.

Get live Stock Prices from BSE, NSE, US Market and latest NAV, portfolio of Mutual Funds, calculate your tax by Income Tax Calculator, know market’s Top Gainers, Top Losers & Best Equity Funds. Like us on Facebook and follow us on Twitter.

Financial Express is now on Telegram. Click here to join our channel and stay updated with the latest Biz news and updates.

Next Stories
1Google’s Android 10 creates new record as install base crosses 100 million mark in just five months
2WhatsApp Business is bringing QR codes, stickers, catalogue sharing and more for its 15 million Indian users
3Canon launches its most powerful EOS R5 8K-shooting mirrorless camera in India