Indian security researcher, Bhavuk Jain discovered a critical vulnerability affecting Apple's 'Sign in with Apple' system that could allow attackers to bypass authentication and take over victim's account on third-party applications which have been providing 'Sign in with Apple' option to its user.
Apple also rewarded a security researcher by giving a $1,00,000 bug bounty for reporting a highly critical flaw.
Last year, Apple launched 'Sign in with Apple' feature and introduces it as a privacy-protecting login system that allows users to sign up an account with third-party applications without disclosing their actual Email ID.
Security researcher, Bhavuk Jain found the critical vulnerability in the way Apple was validating a user on the client-side before initiating a request from Apple's auth servers.
How 'Sign in with Apple' Feature Works?
While authenticating a user via 'Sign in with Apple', the auth server generates JWT (JSON Web Token) which contains secret confidential information that third-party app uses for verifying the sign-in users.
However, a security researcher found that before initiating the request, Apple asks users to log in to their Apple account, it was not verifying if the same user is requesting JWT in the next step from its auth server.
Therefore, the missing verifying in that part could allow an attacker to forge a JWT by providing any Apple ID to it and taking control of the victim's account. Security researcher, Bhavuk also demonstrated the same.
Security researcher, Bhavuk said that the flaw worked even if the user chooses to hide their Email ID from the third-party applications and can also be exploited to sign up a new account with the users' Apple ID.
The impact of this flaw was too critical. Many developers (includes Airbnb, Spotify, Dropbox, etc) have integrated 'Sign in with Apple' feature since it is essential for apps that support other social logins.
Apple has patched the flaw immediately. Apple also did an investigation on this and confirmed that the flaw was not exploited to breach any users' accounts.
If you have any questions related to highly critical 'Sign in with Apple' flaw and also want to share your views on this then please mention in the comments box and I will get back to you.