Access Management , Application Security , Identity & Access Management

Researcher Discloses 'Sign in with Apple' Zero-Day Flaw

Bug Bounty Hunter Reveals Critical Issue Affecting Third-Party Applications
Researcher Discloses 'Sign in with Apple' Zero-Day Flaw

An independent security researcher disclosed a zero-day vulnerability contained in the "Sign in with Apple" feature that, if exploited, could have resulted in a full account takeover.

See Also: On-demand | Reimagine Your Cloud Transformation Journey

The Sign in with Apple feature enables users to sign into apps and websites using their Apple ID. The vulnerability has been patched, and Apple says it found no account misuse tied to it, according to the researcher who discovered the zero-day flaw.

Apps Affected

The zero-day vulnerability, which affected third-party applications that use "Sign in with Apple" but did not implement their own security measures, was revealed in a blog posted May 30 by Bhavuk Jain. As a reward for the disclosure, Apple paid Jain a $100,000 bug bounty fee.

Sign in with Apple uses two methods to authenticate a user when attempting to sign in to a third-party app - a JSON Web Token, or JWT, or a code generated by Apple to create a JWT, Jain notes.

"I found I could request JWTs for any Email ID from Apple, and when the signature of these tokens was verified using Apple’s public key, they showed as valid,” Jain wrote. “This means an attacker could forge a JWT by linking any Email ID to it and gaining access to the victim’s account."

The bug bounty hunter points out that the potential damage that could have been wrought by exploiting the vulnerability was significant because Sign in with Apple is widely used by app developers.

Dan McInerney, senior researcher with the security firm Coalfire, says exploiting the vulnerability could open the door to a "full account takeover with very little effort. It is extremely dangerous, especially because the malicious actor could easily automate the process to get access to almost every Apple account in existence. It almost rendered all other Apple security irrelevant."

Bug Bounty Benefits

Apple has no qualms about paying large bug bounties. In August 2019, the company posted that it was willing to pay $1 million for a kernel-level vulnerability that requires no interaction on behalf of the victim and persists and upped the bounty amounts for a wide variety of other issues (see: Apple Expands Bug Bounty; Raises Max Reward to $1 Million).

McInerney says the $100,000 bug bounty that Jain earned was reasonable.

"I would not have been surprised to see an even higher amount here, given the intense gravity of the vulnerability,” he says.

But Katie Moussouris, CEO of Luta Security, which focuses on building organizational readiness for vulnerability disclosures, says tech firms have to guard against paying bounties that are too high.

"There's a logical limit above which the defense market cannot rise, or you will end up shanking your own hiring pipeline and creating these perverse incentives," she says.

Bug bounty platform provider HackerOne announced on Thursday it had surpassed the $100 million mark in bounty payouts it has facilitated since its inception in 2013. The average payout is $771, the company reports.

Also on Thursday, Google announced an expanded bug bounty program, dubbed Google Vulnerability Rewards Program, to cover all the critical open-source dependencies of Google Kubernetes Engine - with a $10,000 top payout.


About the Author

Doug Olenick

Doug Olenick

Former News Editor, ISMG

Olenick has covered the cybersecurity and computer technology sectors for more than 25 years. Prior to his stint as ISMG as news editor, Olenick was online editor for SC Media, where he covered every aspect of the cybersecurity industry and managed the brand's online presence. Earlier, he worked at TWICE - This Week in Consumer Electronics - for 15 years. He also has contributed to Forbes.com, TheStreet and Mainstreet.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.