Apple had announced Sign in with Apple in 2019 to allow users (with an Apple ID) to simply and quickly sign into third-party apps and websites.
A full-stack developer from India apparently found a critical flaw in “Sign in with Apple” account authentication in April that could have potentially allowed hackers to fully take over any account linked to it. 27-year-old Bhavuk Jain claimed in a blog post that he had reported the bug to Apple before disclosing it to the public on Saturday. Apple has since fixed the issue, and paid him $100,000 (nearly 75 lakh Rupees) as part of the Apple Security Bounty program, he added.
Apple had announced Sign in with Apple in 2019 to allow users (with an Apple ID) to simply and quickly sign into third-party apps and websites, its main USP being that it was supposed to be more private and secure than more conventional sign-ins via Google and Facebook. While social sign-ins may be used to collect users’ personal data, Sign in with Apple promised a completely anonymous approach. You could, for instance, sign up with apps and services without disclosing your Apple ID.
As it turns out, the whole system was marred by a zero day vulnerability, according to Jain, that could have allowed anybody with your email address and the technical know-how to spoof the Apple ID servers and gain access to all your online accounts. This was especially true for accounts linked to apps and websites that did not deploy any security measures of their own.
“The Sign in with Apple works similarly to OAuth 2.0. I found I could request JWTs (JSON Web Tokens) for any Email ID from Apple and when the signature of these tokens was verified using Apple’s public key, they showed as valid,” Jain said. “This means an attacker could forge a JWT by linking any Email ID to it and gaining access to the victim’s account.”
Apple has made Sign in with Apple “mandatory” for all all applications that support other social logins. Dropbox and Spotify are two examples. “The impact of this vulnerability was quite critical as it could have allowed full account takeover,” Jain said.
But more importantly, Apple apparently “did an investigation of their logs and determined there was no misuse or account compromise due to this vulnerability.” Apple is yet to publicly acknowledge the flaw.
Kerala sets up high-power committee to tackle rising infectious diseases
India records gains in maternal and reproductive health: Report
DU releases first PG admission list, allocates over 11,500 seats
UP extends summer vacation in schools till June 24 amid heatwave
Telegram founder questions India’s decision to block platform over NEET concerns
UP extends summer vacation in schools till June 24 amid heatwave
Telegram founder questions India’s decision to block platform over NEET concerns
States offer free bus rides, fare concessions for NEET UG 2026 re-exam candidates
Telegram approaches Delhi HC against block order linked to NEET re-exam
Israel strikes kill 4 in Lebanon as Trump publicly rebukes Netanyahu
Kerala sets up high-power committee to tackle rising infectious diseases
India records gains in maternal and reproductive health: Report
DU releases first PG admission list, allocates over 11,500 seats
UP extends summer vacation in schools till June 24 amid heatwave
Telegram founder questions India’s decision to block platform over NEET concerns
UP extends summer vacation in schools till June 24 amid heatwave
Telegram founder questions India’s decision to block platform over NEET concerns
States offer free bus rides, fare concessions for NEET UG 2026 re-exam candidates
Telegram approaches Delhi HC against block order linked to NEET re-exam
Israel strikes kill 4 in Lebanon as Trump publicly rebukes Netanyahu
Copyright© educationpost.in 2024 All Rights Reserved.
Designed and Developed by @Pyndertech