Get rich quick! Work from home! Earn $100,000 easy – just find a critical flaw in Apple's sign-in system

Yeah, we know 'just' is doing a lot of hard work, we're being flippant


Security researcher Bhavuk Jain has landed a $100,000 payday after he reported a critical flaw in Apple’s sign-in system that could be exploited to access countless accounts on sites from Dropbox and Spotify to Airbnb.

In April, Jain discovered the vulnerability in “Sign in with Apple” – a single-sign-in service launched last year – which allows people to use their Apple account IDs to log into third-party apps. He sent his bug report to Cupertino through its bug bounty program, and at the weekend, with $100,000 in hand and Apple having patched the issue, he revealed details of the flaw.

mac

You, Apple Mac fan. Put down the homemade oat-milk latte, you need to patch a load of security bugs, too

READ MORE

“What if I say, your Email ID is all I need to takeover your account on your favorite website or an app. Sounds scary, right?” posted Jain, a full-stack developer specializing in React Native mobile apps, based in India.

"A lot of developers have integrated Sign in with Apple since it is mandatory for applications that support other social logins."

The security hole affected all third-party apps that use the service – Apple’s equivalent of the Facebook and Google sign-in services – and “could have resulted in a full account takeover of user accounts on that third party application irrespective of a victim having a valid Apple ID or not.”

The service works in one of two ways: a user is authenticated by either using a JSON Web Token (JWT) or a code generated by Apple’s servers, which is then used to generate a JWT. In the Apple-server approach, Apple provides the user with an option to share their Apple email ID with a third-party. If they chose that option, the email ID is included within the token.

Access all areas

Jain, 27, discovered that he could request tokens for any email ID and, if he verified them with Apple’s public key, they would be accepted as valid. In other words, it was possible to forge a token if you have someone’s email and then access their account on third-party websites.

Services that were vulnerable to the flaw – because they include Apple’s login system – include Dropbox, Spotify and Airbnb, Jain noted. “The impact of this vulnerability was quite critical as it could have allowed full account takeover,” he noted.

Apple verified the programming blunder, patched it on its servers, and, according to Jain, investigated whether the flaw was exploited, and concluded that it had not. It was, potentially, a hugely embarrassing issue for Apple that could have set back its efforts to challenge Facebook and Google, and Jain is $100,000 better off for having discovered it first.

Back in April, another security researcher received $75,000 from Apple for discovering a way to hack Apple's Safari browser and access the camera on both Macs and iPhones. The hole was filled in an update to the browser. ®

Similar topics


Other stories you might like

  • Apple gets lawsuit over Meltdown and Spectre dismissed
    Judge finds security is not a central feature of iDevices

    A California District Court judge has dismissed a proposed class action complaint against Apple for allegedly selling iPhones and iPads containing Arm-based chips with known flaws.

    The lawsuit was initially filed on January 8, 2018, six days after The Register revealed the Intel CPU architecture vulnerabilities that would later come to be known as Meltdown and Spectre and would affect Arm and AMD chips, among others, to varying degrees.

    Amended in June, 2018 the complaint [PDF] charges that the Arm-based Apple processors in Cupertino's devices at the time suffered from a design defect that exposed sensitive data and that customers "paid more for their iDevices than they were worth because Apple knowingly omitted the defect."

    Continue reading
  • Cisco warns of security holes in its security appliances
    Bugs potentially useful for rogue insiders, admin account hijackers

    Cisco has alerted customers to another four vulnerabilities in its products, including a high-severity flaw in its email and web security appliances. 

    The networking giant has issued a patch for that bug, tracked as CVE-2022-20664. The flaw is present in the web management interface of Cisco's Secure Email and Web Manager and Email Security Appliance in both the virtual and hardware appliances. Some earlier versions of both products, we note, have reached end of life, and so the manufacturer won't release fixes; it instead told customers to migrate to a newer version and dump the old.

    This bug received a 7.7 out of 10 CVSS severity score, and Cisco noted that its security team is not aware of any in-the-wild exploitation, so far. That said, given the speed of reverse engineering, that day is likely to come. 

    Continue reading
  • Workers win vote to form first-ever US Apple Store union
    Results set to be ratified by labor board by end of the week

    Workers at an Apple Store in Towson, Maryland have voted to form a union, making them the first of the iGiant's retail staff to do so in the United States.

    Out of 110 eligible voters, 65 employees voted in support of unionization versus 33 who voted against it. The organizing committee, known as the Coalition of Organized Retail Employees (CORE), has now filed to certify the results with America's National Labor Relations Board. Members joining this first-ever US Apple Store union will be represented by the International Association of Machinists and Aerospace Workers (IAM).

    "I applaud the courage displayed by CORE members at the Apple store in Towson for achieving this historic victory," IAM's international president Robert Martinez Jr said in a statement on Saturday. "They made a huge sacrifice for thousands of Apple employees across the nation who had all eyes on this election."

    Continue reading

Biting the hand that feeds IT © 1998–2022