12.5 C
New York
Monday, June 1, 2020
Home News Apple awards hacker $100,000 for discovering a Sign In With Apple vulnerability

Apple awards hacker $100,000 for discovering a Sign In With Apple vulnerability

A vulnerability inside Sign In With Apple could have potentially allowed hackers to take over your linked, third-party accounts. Discovered by India-based security researcher Bhavuk Jain in April, Apple has since patched the loophole, and in recognition of the discovery, awarded Jain a bug bounty of $100,000.

Sign-in platforms, including the one by Apple, protect user identity by exchanging a token with the third-party service instead of providing a set of private credentials. This token is produced every time you click, in Apple’s case, the Sign-In With Apple button, and lets the third party authenticate you by running it through Apple’s database.

The bug that Bhavuk came across affected how Apple’s authentication service confirmed who was requesting that token in a session. While Sign-In With Apple needed a valid Apple account to work, it wasn’t verifying whether that same account was the one requesting a token. Therefore, irrespective of the device’s linked Apple account, Bhavuk was able to retrieve a token for any Apple ID and use that to illicitly take over its connected, third-party account.

Even though the victim’s Apple account wasn’t compromised, since that’s never directly revealed in the process, this loophole could have enabled intruders to log into any of the account’s Sign-In With Apple apps. It’s also worth noting that the bug would have proved detrimental only when the third-party service itself didn’t have any additional privacy protections of its own.

“The impact of this vulnerability was quite critical as it could have allowed full account takeover. A lot of developers have integrated Sign in with Apple since it is mandatory for applications that support other social logins. To name a few that use Sign in with Apple – Dropbox, Spotify, Airbnb, Giphy (Now acquired by Facebook). These applications were not tested but could have been vulnerable to a full account takeover if there weren’t any other security measures in place while verifying a user,” wrote Bhavuk in a blog post.

Apple told Bhavuk, after investigating its internal logs, that “there was no misuse or account compromise due to this vulnerability.”

Launched about a year ago, Apple has centered its sign-in service around the idea of a more private and secure login experience. It has been adopted by a number of developers and companies including Airbnb, Dropbox, Adobe, TikTok, and more. It’s unclear for how long this vulnerability was left in the open and how far-reaching its effects would be on early adopters’ trust in the sign-in service. We’ve reached out to Apple regarding the same and we’ll update the story when we hear back.


Apple awards hacker $100,000 for discovering a Sign In With Apple vulnerability

It could have compromised the third-party accounts of Apple users

The $179 Timex Metropolitan R gives WearOS smartwatches reason to worry

Timex's affordable new smartwatch may look familiar, but it ticks off all the boxes and undercuts competitors.

Share your love for Android and the Pride community with these shirts

It's June and that means the beginning of summer, but also Pride Month. That means celebrations and parades to support

Show off your Pride with a fabulous Galaxy case

While shirts and sneakers are fun ways to show your pride, if you want to show yours off this Pride