Apple closes critical „Sign in with Apple“ security flaw, pays huge bug bounty

Dealing with passwords is always some kind of necessary burden.

Apple closes critical „Sign in with Apple“ security flaw, pays huge bug bounty
Photo by Quaritsch Photography / Unsplash

Dealing with passwords is always some kind of necessary burden.

If you use password managers (you should!) or not, entering your credentials to access specific services is always a matter of trust. The level of trust needed is even higher if you use another service that manages the login for you like „Sign in with Apple“ does: Depending on the different services and their support for this login method, all you need to login to a certain site is your Mac-password once you linked the device to the specific service.

Photo Credits: The Hacker News

As nothing is perfect and security is always a race between Hare and Tortoise and companies like Apple always offer a bug bounty in case someone finds a serious flaw. This time, Apple recently paid quite a huge $100,000 bug bounty to Indian vulnerability researcher Bhavuk Jain for reporting a serious security flaw classified as „highly critical“, affecting Apples „Sign in with Apple“-system.

The good about that is that Apple has patched the vulnerability in the meantime. Theoretically, remote attackers could have gained access to foreign accounts through bypassing the authentication mechanism and hijack them, gaining access to all third-party-apps and services that use Apples „Sign in with Apple“-feature. The feature was introduced at last year’s WWDC as a privacy-preserving authentication mechanism within Apple-related devices.

Unsplash

While being interviewed by The Hacker News, Bhavuk Jain revealed that the vulnerability he discovered resided in the way Apple was validating a user on the client-side before initiating a request from Apple’s authentication servers. To clarify, while authenticating a user via „Sign in with Apple“, the server generates a JSON Web Token (JWT) containing secret information that third-party application uses to confirm the identity of the specific user who tries to log in.

Bhavuk found that, although Apple asks users to log in to their Apple account before initiating the request, it was not validating if the same person is requesting the specified JSON Web Token (JWT) in the next step from its authentication server. Closing this circle, the missing validation in that part of the mechanism could have allowed an attacker to provide a separate Apple ID belonging to a victim. This may finally have lead to a tricking of Apple servers into generating a JWT-payload that was valid to sign in into a 3rd-party service with the victim’s own identity.

Photo Credits: Bhavuk Jain

During the talk with „The Hacker News“, the researcher stated that the vulnerability worked even if the user chose to hide his E-Mail-based ID from the 3rd-party services and could also be exploited to sign up with a new account with used Apple ID of the victim. “The impact of this vulnerability was quite critical as it could have allowed a full account takeover. Many developers have integrated „Sign in with Apple“ since it is mandatory for applications that support other social logins — also Medium does. To name another few that use „Sign in with Apple“ — Dropbox, Spotify, Airbnb, Giphy (recently acquired by Facebook)” Bhavuk added, showing the severe effect this flaw could have had on the users.

Although this vulnerability has been proved to exist on the Apple side of code, the researcher said it’s possible that some services and app offering „Sign in with Apple“ might have already been using a second factor of authentication that could mitigate the issue for their users. Bhavuk responsibly reported the issue he found to Apple’s security team about a month earlier and the company has now patched the vulnerability.

Unsplash

Besides paying bug bounty to the researcher, in response, Apple did also confirm that it conducted an investigation of their server logs and found the flaw was not exploited to compromise any account. Thanks to the calm and focused work of Bhavuk Jain, this issue was choked off at the very beginning but could have turned to a serious loss of trust and reputation in Apple’s widespread „Sign in with Apple“-service.