A security researcher in Delhi, India, reported that Apple paid him $100,000 through its bug bounty program for finding a vulnerability in its Sign in with Apple feature that could have resulted in the takeover of users’ third-party website and app accounts.
In a May 30 blog post, researcher Bhavuk Jain explains how he detected the bug that could have fully compromised third-party user accounts , regardless their whether or not users had a valid Apple ID. Apple has since reportedly corrected the flaw, although it has not publicly addressed the bounty payment.
The computer company’s sign-in works similarly to 0Auth 2.0. According to Jain, there are two ways to authenticate a user: 1) a JWT (JSON Web Token) or 2) a code generated by the Apple server. The code then generates a JWT.
“In the second step, while authorizing, Apple gives an option to a user to either share the Apple email ID with the third-party app or not,” Jain wrote. “If the user decides to hide the email ID, Apple generates its own user-specific Apple relay email ID. Depending upon the user selection, after successful authorization, Apple creates a JWT (JSON web token) that contains this email ID, which is then used by the third-party app to log in a user.”
Displaying a screenshot of a decoded JWT payload, Jain explains in his post that he was able to request JWTs for any email associated with an Apple ID after the signature of valid tokens was verified using Apple’s public key.
“This means an attacker could forge a JWT by linking any email ID to it and gaining access to the victim’s account,” Jain wrote.
The potential impact that this vulnerability could have left was significant because applications that support social media-based logins are required by Apple to integrate the the company’s sign-in feature as well. Jain says Spotify, DropBox, Airbnb and Giphy (recently acquired by Facebook) among the services that offer this feature.
“These applications were not tested but could have been vulnerable to a full account takeover if there weren’t any other security measures in place while verifying a user,” Jain said, adding that Apple investigated its logs and could not determine misuse or account compromise due to the vulnerability.