Sign in with Apple—a privacy-enhancing tool that lets users sign in to third-party apps without revealing their email addresses—just fixed a bug that made it possible for attackers to gain unauthorized access to the same accounts.
“In the month of April, I saw a zero date in Sign In with Apple that involved third-party applications that they were using and did not implement their own security measures,” app developer Bhavuk Jain wrote on Sunday. “This bug could have resulted in a full log of user accounts on a third-party app regardless of whether the victim had a valid Apple ID or not.”
Jain privately reported the flaw to Apple under the company’s bug bounty program and received a handsome $100,000 payout. The developer shared the details after Apple updated the login service to remove the vulnerability.
Sign in with Apple debuted in October as an easier and more secure and private way to access applications and websites. Faced with a mandate that many third-party iOS and iPadOS applications offer the option to log in with Apple, a host of high-profile services entrusted with a large understanding of sensitive user data.
Instead of using a social media account or email address, filling out Web forms, and choosing a one-time password, iPhone and iPad users can click a button and sign in with Face ID, Touch ID, or a device passcode. The virus opens users up to the possibility that their third-party accounts will be completely hacked.
Service revenue, which works similarly to those OAuth 2.0 standard, registers users using either a JWT—short for JSON Web Token—or code generated by an Apple server. In the latter case, the code is then used to generate a JWT. Apple gives users the option of sharing the Apple email ID with a third party or keeping the ID private. When users store the ID, Apple creates a JWT that contains the user’s specific authentication ID.
“I found that I could request JWTs for any Email ID from Apple and when verifying the signature of these tokens using Apple’s public key, they proved valid,” Jain wrote. “This means that an attacker can generate a JWT by linking any Email ID to it and gain access to the victim’s account.”
There is no indication the bug has ever been exploited.