Apple fixes sign-in bug that would have let anyone log into your apps
Apple has fixed a sign-in bug that could have allowed malicious individuals to take control of a user’s account, paying $100,000 to the person who found it.
The flaw relates to the “Sign in with Apple” feature, which the company introduced in 2019 as a privacy-focused alternative to the sign-in options from Facebook or Google, yet one that is easier than using an email login.
At the end of May, however, developer Bhavuk Jain disclosed a software vulnerability which meant that hackers could have achieved a “full account takeover of user accounts on that third party application irrespective of a victim having a valid Apple ID or not.”
The issue was caused by code generated from Apple’s servers that was used to log in based on a user’s Apple ID email, but it was found that code could be generated for any email identification and Apple would verify the login.
“Sign in with Apple” works by using a JWT (JSON Web Token) or a code from the Apple server. The request is made to the server, a JWT is sent to the user, which then logs into the third party application via Apple’s servers again. All of this is done almost instantly.
However, Jain found that the JWT request was not secure. “I could request JWTs for any Email ID from Apple and when the signature of these tokens was verified using Apple’s public key, they showed as valid. This means an attacker could forge a JWT by linking any Email ID to it and gaining access to the victim’s account,” Jain wrote.
After disclosing the bug, Jain received $100,000 as part of Apple’s bug bounty program. Apple says that it had checked its server logs and found no evidence that the exploit was used to take control of any accounts.
This is not the only patch Apple had to make to its iOS 13.5 update. It also patched a jailbreak exploit before the launch of its new operating system that has reportedly been circulating on the internet since at least February.
