“Sign in with Apple” is potentially more private than other login options, but it apparently included a serious security flaw.
A new report from The Hacker News explains that researcher Bhavuk Jain recently received a $100,000 USD bug bounty for discovering a flaw in the sign-in service when available through third-party apps.
The Zero Day vulnerability could have allowed a hacker to break into an Apple user’s account who log into third-party apps like like Dropbox, Spotify, Airbnb, Giphy, and more.
If an app didn’t have its own security measures, an attacker could forge a token linked to any email ID and verify it as “valid” using Apple’s public key. That could allow a “full account takeover” even if you chose to hide your email from other services, Jain explained.
According to Jain, the “Sign in with Apple” works similarly to “OAuth 2.0.” “There are two possible ways to authenticate a user by either using a JWT (JSON Web Token) or a code generated by the Apple server. The code is then used to generate a JWT,” he explained.
In the second step, while authorizing, Apple gives an option to a user to either share the Apple Email ID with the third-party app or not. If the user decides to hide the Email ID, Apple generates its own user-specific Apple relay Email ID.
“Depending upon the user selection, after successful authorization, Apple creates a JWT which contains this email ID which is then used by the 3rd party app to login a user,” said Jain.
He found that he could request JWTs for any email ID from Apple and when the signature of these tokens was verified using Apple’s public key, they showed as valid.
“This means an attacker could forge a JWT by linking any Email ID to it and gaining access to the victim’s account,” Jain noted.
Launched in 2019, “Sign in with Apple” is aimed to be a more privacy-focused alternative to third-party logins.