Apple recently paid Indian vulnerability researcher Bhavuk Jain a huge $100,000 bug bounty for reporting a highly critical vulnerability affecting its ‘Sign in with Apple‘ system.
The now-patched vulnerability could have allowed remote attackers to bypass authentication and take over targeted users’ accounts on third-party services and apps that have been registered using ‘Sign in with Apple’ option.
Launched last year at Apple’s WWDC conference, ‘Sign in with Apple‘ feature was introduced to the world as a privacy-preserving login mechanism that allows users to sign up an account with 3rd-party apps without disclosing their actual email addresses (also used as Apple IDs).
In an interview with The Hacker News, Bhavuk Jain revealed that the vulnerability he discovered resided in the way Apple was validating a user on the client-side before initiating a request from Apple’s authentication servers.
For those unaware, while authenticating a user via ‘Sign in with Apple,’ the server generates JSON Web Token (JWT) containing secret information that third-party application uses to confirm the identity of the signing-in user.
Bhavuk found that though Apple asks users to log in to their Apple account before initiating the request, it was not validating if the same person is requesting JSON Web Token (JWT) in the next step from its authentication server.
images from Hacker News