Sign in with Apple bug discovery earns developer $100,000
Details of a now-patched vulnerability in the "Sign in with Apple" account authentication have been revealed, a zero-day that could have allowed an attacker to take control of a user's account.
Launched in 2019, "Sign in with Apple" is intended to be a more privacy-focused alternative to website and app log-in systems powered by Facebook and Google accounts. By minimizing the amount of a user's data that is used for authentication and account creation, the API also helped reduce the amount of tracking Facebook and Google performed on users, in turn making it more private.
Disclosed on Saturday by security-focused developer Bhavuk Jain, a zero-day vulnerability in Sign in with Apple had the potential to let an attacker gain access to, and fully take over, a user's account on a third-party application. According to Jain, the bug would have enabled a change in control of the application's user account, regardless of whether the user had a valid Apple ID or not.
The way Sign in with Apple functions is that it relies on either a JSON Web Token (JWT) or a code generated by Apple's servers, with the latter used to generate a JWT if it doesn't exist. While authorizing, Apple provides users with options to either share or hide their Apple Email ID with the third-party app, with a user-specific Apple relay email ID created for the latter selection.
After a successful authorization, Apple produces a JWT, which contains the email ID, and is used by the third-party application to log the user in.
Jain discovered in April it was possible to request a JWT for any email ID, and when the signature of the token is verified using Apple's public key, they are deemed to be valid. In effect, an attacker could create a JWT through this process, and gain access to the victim's account.
As Apple mandates the inclusion of Sign in with Apple in apps with other social-based login systems, the attack had a very broad base of apps that it was theoretically effective against. An investigation by Apple's security team determined the vulnerability has not been used in any attacks.
Jain responsibly disclosed the flaw to Apple, which led to an award from Apple's bug bounty program worth $100,000. Apple has since patched the vulnerability, but it isn't clear exactly how yet.