Security researcher Bhavuk Jain has landed a $100,000 payday after he reported a critical flaw in Apple’s sign-in system that could be exploited to access countless accounts on sites from Dropbox and Spotify to Airbnb.
In April, Jain discovered the vulnerability in “Sign in with Apple” – a single-sign-in service launched last year – which allows people to use their Apple account IDs to log into third-party apps. He sent his bug report to Cupertino through its bug bounty program, and at the weekend, with $100,000 in hand and Apple having patched the issue, he revealed details of the flaw.
You, Apple Mac fan. Put down the homemade oat-milk latte, you need to patch a load of security bugs, tooREAD MORE
“What if I say, your Email ID is all I need to takeover your account on your favorite website or an app. Sounds scary, right?” posted Jain, a full-stack developer specializing in React Native mobile apps, based in India.
"A lot of developers have integrated Sign in with Apple since it is mandatory for applications that support other social logins."
The security hole affected all third-party apps that use the service – Apple’s equivalent of the Facebook and Google sign-in services – and “could have resulted in a full account takeover of user accounts on that third party application irrespective of a victim having a valid Apple ID or not.”
The service works in one of two ways: a user is authenticated by either using a JSON Web Token (JWT) or a code generated by Apple’s servers, which is then used to generate a JWT. In the Apple-server approach, Apple provides the user with an option to share their Apple email ID with a third-party. If they chose that option, the email ID is included within the token.
Access all areas
Jain, 27, discovered that he could request tokens for any email ID and, if he verified them with Apple’s public key, they would be accepted as valid. In other words, it was possible to forge a token if you have someone’s email and then access their account on third-party websites.
Services that were vulnerable to the flaw – because they include Apple’s login system – include Dropbox, Spotify and Airbnb, Jain noted. “The impact of this vulnerability was quite critical as it could have allowed full account takeover,” he noted.
Apple verified the programming blunder, patched it on its servers, and, according to Jain, investigated whether the flaw was exploited, and concluded that it had not. It was, potentially, a hugely embarrassing issue for Apple that could have set back its efforts to challenge Facebook and Google, and Jain is $100,000 better off for having discovered it first.
Back in April, another security researcher received $75,000 from Apple for discovering a way to hack Apple's Safari browser and access the camera on both Macs and iPhones. The hole was filled in an update to the browser. ®