Apple Pays Hacker $100,000 For ‘Sign In With Apple’ Security Shocker – Forbes
When Apple announced Sign in with Apple at the June 2019 worldwide developers conference, it called it a “more private way to simply and quickly sign into apps and websites.” The idea was, and still is, a good one: replace social logins that can be used to collect personal data with a secure authentication system backed by Apple’s promise not to profile users or their app activity.
One of the plus points that got a lot of attention at the time was the ability for a user to sign up with third-party apps and services without needing to disclose their Apple ID email address. Unsurprisingly, it has been pushed as being a more privacy-oriented option than using your Facebook or Google account.
Fast forward to April 2020, and a security researcher from Delhi uncovered a critical Sign in with Apple vulnerability that could allow an attacker to potentially take over an account with just an email ID. A critical vulnerability that was deemed important enough that Apple paid him $100,000 (£81,000) through its bug bounty program by way of a reward.
With the vulnerability already now patched by Apple on the server-side, Bhavuk Jain published his disclosure of the security shocker on May 30. Although the vulnerability related only to third-party apps which used Sign in with Apple without taking any further security measures, it’s shocking for two reasons.
Firstly as it could have allowed a full takeover of the user accounts of those applications regardless of the victim using a valid Apple ID email or not.
Secondly, and potentially even more of a shocker, because Apple didn’t catch this critical security flaw itself during development.
I’m not going to go into the technical detail of how this vulnerability could have been exploited here as, frankly, it will go over the heads of all but the geekiest of readers. Take a look at the full disclosure if you want a deep dive into it all. The long and short of it being that Jain found he could request authentication tokens for any email ID from Apple, which would then be verified using Apple’s public key and, as such, determined as being valid.
An attacker could, therefore, forge a token linked to any email ID and gain access to the victim’s account using it. Hiding your email ID from the third-party app wouldn’t have prevented this exploit.
That said, it’s important to note that Jain said Apple carried out an internal investigation and determined that no account compromises or misuse had occurred before the vulnerability was fixed.
I spoke to Sean Wright, SME application security lead at ImmersiveLabs, regarding the vulnerability which he describes as being “a significant flaw.” Wright also says that he “would have expected better testing around this from a company such as Apple, especially when it is trying to set itself a reputation as privacy-focused.”
I have asked Apple for a statement regarding this issue and will update the article if one is forthcoming.