Serviceteam IT Security News
A security researcher has been awarded $100,000 by Apple after disclosing a critical flaw in the firm’s sign-in process for third-party sites.

Bhavuk Jain discovered the zero-day bug in Sign in with Apple, the Cupertino giant’s supposedly more privacy-centric version of Login with Facebook and Sign in with Google.

The system works in a similar way to OAuth 2.0: users can be authenticated with either a JSON Web Token (JWT), or a code generated by an Apple server which is then used to generate a JWT.

Once the authorization request has been submitted, Apple provides the user with an option, to share their Apple Email ID with the third-party app they’re trying to sign-in to, or not.

“If the user decides to hide the Email ID, Apple generates its own user-specific Apple relay Email ID. Depending upon the user selection, after successful authorization, Apple creates a JWT which contains this Email ID which is then used by the third-party app to login a user,” explained Jain.

“I found I could request JWTs for any Email ID from Apple and when the signature of these tokens was verified using Apple’s public key, they showed as valid. This means an attacker could forge a JWT by linking any Email ID to it and gaining access to the victim’s account.”

The repercussions are pretty serious: an attacker could have used this technique to effect a full takeover of user accounts.

Jain warned that, if popular third-party apps such as Dropbox, Spotify and Airbnb didn’t put in place their own authentication security measures, their users may have been exposed by the bug.

“Apple also did an investigation of their logs and determined there was no misuse or account compromise due to this vulnerability,” he explained.

The researcher received the money by disclosing responsibly to the Apple Security Bounty Program.

Source: Infosecurity Magazine

With over 20 years of experience, Serviceteam IT design and deliver sophisticated connectivity, communication, continuity, and cloud services, for organisations that need to stay connected 24/7. We take the time to fully understand your current challenges, and provide a solution that gives you a clear understanding of what you are purchasing and the benefits it will bring you.

To find out how we can help you, call us on 0121 468 0101, use the Contact Us form, or why not drop in and visit us at 49 Frederick Road, Edgbaston, Birmingham, B15 1HN.

We’d love to hear from you!