News

Bug Venator mercedem $ 100K per Apple Inc. |Bhavuk Jain

Apple has awarded a bug bounty hunter $100,000 for finding and reporting a critical security issue that could lead to the takeover of third-party user accounts.

Researcher Bhavuk Jain discovered the vulnerability in the “Sign in with Apple” feature, a developer feature that allows users to sign in to services using Apple IDs.

Sign in with Apple was introduced to improve privacy and create sign-in procedures for third-party websites and apps using Apple’s ID and two-factor authentication processes, while also keeping tracking at bay.

tamen, Jain found a means to bypass authentication mechanisms and take over third-party user accounts, just by knowing a target’s email ID.

According to the bug bounty hunter, the security flaw existed due to how the iPad and iPhone maker handled client-side user validation requests.

Users can either be authenticated by Apple via a JSON Web Token (JWT) or a code generated by a server.

Users can choose whether or not to share their email ID with a third-party as part of the authentication process.

If the email ID is hidden, Apple generates a JWT token containing this information which is then used by the third-party service to authenticate a user.

tamen, the researcher found a validation conflict in how Apple handles JWT requests in comparison to the authentication provided when a user logs into their account before starting requests.

He found he could request JWTs for any email ID from Apple and when the signature of these tokens was verified using

Apple’s public key, they showed as valid.

This means an attacker could forge a JWT by linking any email ID to it and gaining access to the victim’s account.

The vulnerability has now been patched.

Suyash

Hoc Suyash ex India. A studere CyberSecurity, Youtuber, Blogger, Freelancer et penester. Solet articulos scribit communicare scientiam cum mundo.

Recent Posts

Top Apps and Software for Budding Musicians

With the rise of many technological trends, all industries are reaping the benefits. Different technologies

12 months ago

Top 9 Tips to Keep Yourself Safe When Gaming Online

Online gaming is the latest normal in today’s fast-paced digital world. The internet now offers

1 year ago

Pros And Cons Of Getting A Tax Extension for Your Fintech Business

Tax season: the time of year many individuals and businesses dread. The weight of ensuring

1 year ago

Top 5 Games Which Became Most Popular in 2023 – Detailed Review!

As we enter in the final months of 2023, we can talk more clearly about

1 year ago

Erit umquam liber Minecraft Legend?

Since its release in 2011, Minecraft has become one of the most played video games

1 year ago

Can Minecraft Java ludendum cum Xbox?

Minecraft has been active for more than a decade, and in that time it has

1 year ago

This website uses cookies.