Bhavuk Jain discovered the zero-day bug in Sign in with Apple, the Cupertino giant’s supposedly more privacy-centric version of Login with Facebook and Sign in with Google.
The system works in a similar way to OAuth 2.0: users can be authenticated with either a JSON Web Token (JWT), or a code generated by an Apple server which is then used to generate a JWT.
Once the authorization request has been submitted, Apple provides the user with an option, to share their Apple Email ID with the third-party app they’re trying to sign-in to, or not.
“If the user decides to hide the Email ID, Apple generates its own user-specific Apple relay Email ID. Depending upon the user selection, after successful authorization, Apple creates a JWT which contains this Email ID which is then used by the third-party app to login a user,” explained Jain.
“I found I could request JWTs for any Email ID from Apple and when the signature of these tokens was verified using Apple’s public key, they showed as valid. This means an attacker could forge a JWT by linking any Email ID to it and gaining access to the victim’s account.”
The repercussions are pretty serious: an attacker could have used this technique to effect a full takeover of user accounts.
Jain warned that, if popular third-party apps such as Dropbox, Spotify and Airbnb didn’t put in place their own authentication security measures, their users may have been exposed by the bug.
“Apple also did an investigation of their logs and determined there was no misuse or account compromise due to this vulnerability,” he explained.
The researcher received the money by disclosing responsibly to the Apple Security Bounty Program.
Source: Infosecurity Magazine