A bug bounty hunter has disclosed a severe flaw in Apple’s “Sign in with Apple” feature that, if exploited, could have allowed an attacker to hijack people’s accounts on major third-party services. According to Bhavuk Jain, any accounts on third-party apps and websites that used the authentication method but did not implement any additional security measures of their own were at risk.
Jain discovered the bug in April and went on to report it to Apple, which rewarded him with US$100,000 under the company’s Security Bounty program. The Indian bug bounty hunter said that Apple investigated their logs and didn’t find records of any account compromise or misuse stemming from the vulnerability. The bug has since been patched, although Apple has yet to comment publicly on Jain’s findings.
— Bhavuk Jain (@bhavukjain1) May 24, 2020
Jain notes that there are two ways “Sign in with Apple” authenticates users – either by using a JSON web token (JWT) or by Apple’s servers generating a code, which then generates a JWT. When signing in, the user then has the option to either share their Apple ID associated mail with the third-party app or not.
In the latter scenario, a user-specific Apple relay Email ID is generated. Once authorization is successful, Apple generates a JWT containing the Email ID, which is used by the third-party app to log the user in. Due to missing validation, however, there was a way to subvert the process involving the JWT to hijack a user’s account – and it only required knowing the target’s email ID.
“I found I could request JWTs for any Email ID from Apple and when the signature of these tokens was verified using Apple’s public key, they showed as valid. This means an attacker could forge a JWT by linking any Email ID to it and gaining access to the victim’s account,” said Jain.
The Cupertino tech giant requires developers to add a “Sign in with Apple” option whenever other forms of social logins (Facebook, Google) are available. The feature is used by countless major services, such as Spotify, Airbnb, Adobe, eBay, and Dropbox, to name a few.
Earlier this year, a pair of severe security vulnerabilities was found in iOS Mail app, which comes pre-installed on all iOS devices. The flaws have been since patched and an update has been rolled out to the public.