Apple has awarded a bug bounty hunter $100,000 for finding and reporting a critical security issue that could lead to the takeover of third-party user accounts.
Researcher Bhavuk Jain discovered the vulnerability in the “Sign in with Apple” feature, a developer feature that allows users to sign in to services using Apple IDs.
Sign in with Apple was introduced to improve privacy and create sign-in procedures for third-party websites and apps using Apple’s ID and two-factor authentication processes, while also keeping tracking at bay.
However, Jain found a means to bypass authentication mechanisms and take over third-party user accounts, just by knowing a target’s email ID.
According to the bug bounty hunter, the security flaw existed due to how the iPad and iPhone maker handled client-side user validation requests.
Users can either be authenticated by Apple via a JSON Web Token (JWT) or a code generated by a server.
Users can choose whether or not to share their email ID with a third-party as part of the authentication process.
If the email ID is hidden, Apple generates a JWT token containing this information which is then used by the third-party service to authenticate a user.
However, the researcher found a validation conflict in how Apple handles JWT requests in comparison to the authentication provided when a user logs into their account before starting requests.
He found he could request JWTs for any email ID from Apple and when the signature of these tokens was verified using
Apple’s public key, they showed as valid.
This means an attacker could forge a JWT by linking any email ID to it and gaining access to the victim’s account.
The vulnerability has now been patched.