Apple recently fixed a security vulnerability with its ‘Sign in with Apple’ framework that would have allowed hackers to bypass authentication and access other user’s accounts. The issue was reported by researcher Bhavuk Jain, who received $100,000 from Apple as part of its bug bounty program.
‘Sign in with Apple’ Bug Would Have Allowed Account Hijacking
Apple introduced ‘Sign in with Apple’ as a privacy-focused alternative to Facebook and Google authentication methods, which are used by countless apps and services around the world. The feature optionally hides a user’s email addresses to ensure that privacy is maintained.
Apple recently made it mandatory for all App Store apps to allow ‘Sign in with Apple’ if they offer sign in via Facebook, Google and other services. ‘Sign in with Apple’ is already used by many services on the web, and is quickly becoming the authentication method of choice for many users.
Researcher Bhavuk Jain spoke to The Hacker News in an interview and explained how the vulnerability worked. ‘Sign in with Apple’ generates a JSON Web Token with secret information, used by third-party apps to authenticate a user. However, Apple was not later validating if the JSON Web Token is being requested by the same Apple ID that initiated the request. This meant that a hacker could switch the Apple ID, and trick Apple into authenticating the login to another user’s account.
As per Bhavuk Jain’s interview:
“I found I could request JWTs for any Email ID from Apple, and when the signature of these tokens was verified using Apple’s public key, they showed as valid. This means an attacker could forge a JWT by linking any Email ID and gaining access to the victim’s account,”
The vulnerability worked irrespective of whether you hid your email address or not, from the third-party service. However, due to two-factor authentication, some apps and services had another layer of protection for their users from such attacks.
Once the issue was reported to Apple by Jain, they patched the security flaw from their side. They also investigated and confirmed that the flaw was not exploited by any hacker.