$100,000 Bounty Zero-day Bug in “Sign in with Apple” Let Hackers Take Over the Users Accounts Remotely

Last year at WWDC, Apple presented one of its great innovations that is “Sign in with Apple.” But, recently, an Indian Security researcher has found a critical security flaw in this feature, which allows the hackers to gain control of a user account in third-party applications and services by just having their Email ID.

The ‘Sign in with Apple’ security feature was launched by Apple to be the classic feature to keep secure all its users’ data and privacy by logging into apps without revealing the email, but now this feature has potentially exposed the user data to the hackers.

This security flaw in ‘Sign in with Apple’ feature allows the hackers to circumvent the system authentication and steal the user accounts for specific services. But, you don’t have to worry, as Apple has already patched this flaw by paying about $100,000 as a reward to the Indian security researcher, Bhavuk Jain, who notified Apple about this vulnerability.

Zero-day flaw

In an interview, the security researcher from India, Bhavuk Jain, revealed that the vulnerability resided in the login system. More specifically, Apple validates a client-side user before initiating a request on Apple’s authentication servers. 

Here, one a user is authenticated through the system, the server generates a JWT, that is, a JSON Web Token that contains secret information that the app uses to confirm the identity of the user who logs in.

Moreover, Bhavuk has also notified, though Apple asked its users to log into their Apple account, before initiating the request, it will not validate if the same person requests the JWT in the next step from the server.

That’s why the missing validation in that part of the process could have allowed an attacker to provide a separate Apple ID belonging to a victim, tricking Apple servers into generating a useful JWT that is valid to log in with. Apart from this, Bhavuk has marked this flaw as critical, as it could have allowed the attackers to take a complete take over of the account.

Here’s what Bhavuk Jain has explained, “I could request JWTs for any Apple email ID, and when I verified the signature of those tokens using the Apple’s public key, they were shown to be valid. This means an attacker can easily spoof JWTs by linking any Email ID to it and gain access to the victim’s account.”

Moreover, Apple investigated the records of its servers and has confirmed that the flaw was not exploited by the hackers to compromise any account, in short, no potential abuse of the flaw has been detected.

If you’re interested to learn Bug bounty, you can take a complete Master Level Bug Bounty Course training from Ethical Hackers Academy to learn, find, and report the security vulnerabilities in hundreds of vendors.

So, what do you think about this? Share all your views and thoughts in the comment section below.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.

Also Read:

PonyFinal – A Java-Based Ransomware Attack Enterprise Network Servers to Lock The Sensitive Data

Valak Malware Attack Microsoft Exchange Servers To Steal Enterprise Network Credentials

Leave a Reply