For a few weeks, we have observed that in different websites and third party internet services we can "log in" with our Apple ID. The truth is that the first time I saw him, I wrinkled my nose and I was not very funny. For these things I already have a "junk" Gmail account, where I don't care if I get spam because I never look at it.
If it is true that when Apple has installed this system, it has made sure that the web service that uses it does not obtain user data or let it send spam. But I, just in case, do not intend to use it. Now we know there was a security breach in this system and the company has rewarded the discoverer of the error very well.
A security vulnerability with "Sign in with Apple" could have allowed hackers to carry out full control of user accounts accessed through this system. Fortunately, the bug was spotted by the India-based security researcher Bhavuk jain.
A $ 100.000 Bonus
Here's my first 6 digit bounty from @Apple. Blog post will be up next week. #bugboundy pic.twitter.com/QygxvtGYJb
- Bhavuk Jain (@ bhavukjain1) May 24, 2020
In a blog post posted over the weekend, Jain noted that he made Apple aware of the vulnerability in April. Quickly from Cupertino they verified the error and it was solved. Thanks to Apple's bug bounty program, the computer scientist has been rewarded with U.S. dollar 100.000 as thanks for the important find discovered.
The error involved a problem with the web tokens generated when using the system «Sign in with Apple»In third-party web services. Jain noted that the vulnerability made it possible for anyone to request tokens for any Apple email ID. They could then be used as tokens to verify identity. This would allow attackers to spoof a token by linking it to an Apple ID. From here, the stranger will have full access with the hacked Apple iD.
Many developers have integrated "Sign in with Apple" where an account is required and they already have other social logins. For example, Facebook, Dropbox, Spotify, Airbnb, Giphy etc.
These apps could have been vulnerable to a full account takeover if there were no other security measures in place while a user was being verified. According to Jain, Apple conducted an investigation and determined that no account was compromised due to this login before fixing the security breach.