Apple has always advertised its products as the most secure and privacy-centric and it has gone to great lengths to give user privacy the utmost importance.?
But despite all that, there are always loopholes that get missed.?
India¡¯s Bhavuk Jain found such a loophole in Apple¡¯s news ¡®Sign In with Apple¡¯ feature and was awarded $100,000 by the Cupertino giant. Jain found that this login system could have allowed malicious actors to take over someone¡¯s account on some websites and applications.
Jain reveals in his blog, that the bug was linked to the way Apple was validating users who used ¡®Sign In with Apple¡¯ service -- a feature Apple launched in 2019 to stop bots from tracking user behaviour to target them with ads as well as hiding your email address from third-party apps or services.?
For authorising someone, the feature uses a JWT or JSON Web Token -- a code generated by Apple¡¯s servers. In the process of authentication, Apple gives users an option to share or hide their Apple ID with third-party apps. In case the user chooses the former, Apple makes a custom email for the user. Once authentication completes, Apple makes a JWT that consists of the email address. This is then used by the third-party app to sign in.?
Now, this is where the problem surfaces. Jain found that one could easily request JWTs for any Apple ID. He explains in his blog, ¡°When the signature of these tokens was verified using Apple¡¯s public key, they showed as valid. This means an attacker could forge a JWT by linking any email ID to it and gaining access to the victim¡¯s account.¡±
While Apple was asking users to authenticate the account before the process, it wasn¡¯t really looking if the same person was requesting a JWT in the next stage from its server.
He further explained, ¡°The impact of this vulnerability was quite critical as it could have allowed full account takeover. A lot of developers have integrated Sign in with Apple since it is mandatory for applications that support other social logins.¡±
While giving examples of apps like Dropbox, Spotify, he stated, ¡°These applications were not tested but could have been vulnerable to a full account takeover if there weren¡¯t any other security measures in place while verifying a user.¡±
Apple carried out an investigation to look for any malpractices due to the vulnerability and has discovered that no misuse has occurred. Apple has patched the vulnerability now.?