Skip to main content

Sign in with Apple vulnerability could have led to account takeovers

(Image credit: Pixabay)

A critical vulnerability in Apple's 'Sign in with Apple' system could have allowed remote attackers to take over targeted user accounts on third-party services and apps.

The company's Sign in with Apple feature, which launched at WWDC 2019, gives users the ability to login to third-party apps and websites using their Apple ID. The feature also helps protect users' privacy as they can use its 'hide my email' function to withhold their email addresses from apps and sites.

Independent security researcher Bhavuk Jain first discovered the bug in Sign in with Apple last month and the company paid him a $100,000 bug bounty after he responsibly disclosed it. In a blog post, Jain explained just how serious this now-patched vulnerability could have been, saying: 

“The impact of this vulnerability was quite critical as it could have allowed full account takeover. A lot of developers have integrated Sign in with Apple since it is mandatory for applications that support other social logins. To name a few that use Sign in with Apple - Dropbox, Spotify, Airbnb, Giphy (Now acquired by Facebook). These applications were not tested but could have been vulnerable to a full account takeover if there weren’t any other security measures in place while verifying a user.”

Sign in with Apple

The Sign in with Apple system works in a similar way to OAuth 2.0 and users can be authenticated by either using a JSON Web Token (JWT) or a code generated by the company's server which is then used to generate a JWT.

Jain discovered that he could request JWTs for any Email ID from Apple and when the signature of these tokens was verified using Apple's public key, they showed as valid. As a result, an attacker could forge a JWT by linking any Email ID to it and this would grant them access to the victim's linked accounts.

After Jain submitted his findings to Apple, the company conducted an investigation of its logs and determined that there was no misuse or account compromise that exploited the vulnerability.

Thankfully Jain disclosed the vulnerability in a timely manner before it could become a zero-day where a flaw is discovered and exploited before a fix for the issue is made available.

Via The Hacker News