When the Cupertino giant announced the appeal “Log in with Apple” (“Sign in with Apple”), last year, the company called the novelty “a simpler and more private way to quickly access applications and websites”. The idea is interesting: replace the common logins that can be used to collect personal data with a secure authentication system that does not provide personal information to third parties.
However, like any other system, the Apple feature can have some holes; in fact, the developer and security researcher Bhavuk Jain discovered, last April, a vulnerability zero-day in “Signing in with Apple” that could have resulted in the hacking of basically any account – if Apple hadn’t already solved that, of course.
According to him, the flaw specifically compromised third-party apps that used Apple’s login feature and did not implement additional security measures. It is important to note that the developer only went public after informing Apple about the bug and that it released a fix for the problem (as well as having paid a good amount of money for the discovery).
Back to the bug: Jain describes that “Logging in with Apple” authenticates a login via a JWT, a type of code generated by the Apple server. In addition, the company offers the option of sharing email linked to your Apple ID or a private relay address – both of which, however, require authentication by JWT.
The developer then found that, since JWTs were requested for Apple IDs (or private relay), token it was done using a public key. If the bug were not discovered, a JWT could be created and used to gain access to the account.
The impact of this vulnerability was quite critical, as it could have allowed for a complete hacking of the account. Many developers have integrated “Sign in with Apple” as it is mandatory for applications that support other social logins.
Opera summary: Jain said Apple conducted an investigation and concluded that no accounts were compromised by the bug. For the discovery, the developer received $ 100,000 of Apple Security Bounty (company reward program). Not bad, huh?
via Hacker News