A security researcher from Delhi discovered a vulnerability in Apple’s “Sign in with Apple” feature, first introduced in June 2019. The flaw could have allowed a malicious party to take over an account with only an email ID.
Apple paid the person who discovered the vulnerability 100,000 through its bug bounty program. Now that the bug has been fixed by Apple, the person who discovered it -- Bhavuk Jain -- published a disclosure about it.
“In the month of April, I found a zero-day in Sign in with Apple that affected third-party applications which were using it and didn’t implement their own additional security measures,” Jain wrote. “This bug could have resulted in a full account takeover of user accounts on that third party application irrespective of a victim having a valid Apple ID or not.”
When Apple introduced its “Sign in with Apple” feature in 2019, it touted it as a "more private way to simply and quickly sign into apps and websites." A user could sign up with third-party apps and services without needing to provide their Apple ID email address.
The vulnerability reported on May 30 was eye-opening because it could have allowed an attacker to take over users’ accounts regardless of whether the victim used a valid Apple ID email or not. Forbes noted that the flaw was also a shocker because Apple didn’t discover it during development.
Jain said he found that he could request authentication tokens for any Email ID from Apple and “when the signature of these tokens was verified using Apple’s public key, they showed as valid.”
“This means an attacker could forge a JWT by linking any Email ID to it and gaining access to the victim’s account,” he wrote.
Jain noted that an internal investigation carried out by Apple concluded that no account compromises or misuse had occurred before the vulnerability was patched.