Security researcher of security firm Computest discovered the flaw in Apple's implementation of TouchID (biometric feature) that authenticated users to log in (particularly those that use Apple ID logins) to websites on the Safari browser.
The security researcher reported the flaw to Apple and the company addressed the flaw in a server-side update.
Apple Touch ID Authentication Flaw
When users try to sign in to any site (require an Apple ID), a prompt is showed to authenticate the login using Touch ID (biometric). After login through Touch ID, it skips the 2FA (Two-Factor Authentication) step.
While during login to Apple sites (www.icloud.com) with the standard way with an ID and password, the site embeds an iframe pointing to https://idmsa.apple.com (Apple's login validation server), that handles the authentication task.
This iframe URL also contains two other parameters :
1. client_id — identifying service
2. redirect_uri — URI to be redirected to after successful authentication
The iframe is handled differently while authentication through Touch ID, it communicates with the akd (AuthKit daemon) to handle Touch ID and after that fetch a grant_code token, that's used by icloud.com to continue the login task. For that, akd (AuthKit daemon) communicates with an API on "gsa.apple.com".
Security researchers discovered the flaw in the above mentioned "gsa.apple.com" API. Because of this flaw, it's possible for hackers to exploit those domains to verify a client ID (without authentication).
The akd (AuthKit daemon) includes client_id and redirect_uri while submitting data to it. Still, it didn't check the redirect URI matches with the client ID or not. All domains end with "icloud.com", "icloud.com.cn", and "apple.com" were allowed.
Let's discuss some other scenarios. An attacker could set up malicious hotspots to compromise iCloud accounts.
If attackers set up a malicious hotspot at an airport, train station, or hotel then it is possible for an attacker to gain access to more numbers of iCloud accounts that allow access to backups of videos, images, location, and much more.
If you have any questions related to the Apple Touch ID vulnerability and also want to share your views on this vulnerability then please mention in the comments box and I will get back to you.