Indian developer earns Rs 75 lakh for finding ‘Sign in with Apple’ bug

A full-stack developer from India apparently found a critical flaw in “Sign in with Apple” account authentication in April that could have potentially allowed hackers to fully take over any account linked to it. 27-year-old Bhavuk Jain claimed in a blog post that he had reported the bug to Apple before disclosing it to the public on Saturday. Apple has since fixed the issue, and paid him $100,000 (nearly 75 lakh Rupees) as part of the Apple Security Bounty program, he added.

Apple had announced Sign in with Apple in 2019 to allow users (with an Apple ID) to simply and quickly sign into third-party apps and websites, its main USP being that it was supposed to be more private and secure than more conventional sign-ins via Google and Facebook. While social sign-ins may be used to collect users’ personal data, Sign in with Apple promised a completely anonymous approach. You could, for instance, sign up with apps and services without disclosing your Apple ID.

As it turns out, the whole system was marred by a zero day vulnerability, according to Jain, that could have allowed anybody with your email address and the technical know-how to spoof the Apple ID servers and gain access to all your online accounts. This was especially true for accounts linked to apps and websites that did not deploy any security measures of their own.

“The Sign in with Apple works similarly to OAuth 2.0. I found I could request JWTs (JSON Web Tokens) for any Email ID from Apple and when the signature of these tokens was verified using Apple’s public key, they showed as valid,” Jain said. “This means an attacker could forge a JWT by linking any Email ID to it and gaining access to the victim’s account.”

Apple has made Sign in with Apple “mandatory” for all all applications that support other social logins. Dropbox and Spotify are two examples. “The impact of this vulnerability was quite critical as it could have allowed full account takeover,” Jain said.

But more importantly, Apple apparently “did an investigation of their logs and determined there was no misuse or account compromise due to this vulnerability.” Apple is yet to publicly acknowledge the flaw.