Apple has fixed a critical zero-day vulnerability in the “Sign in with Apple” account authentication page that could have given hackers complete access to user accounts.
For those unaware, Sign in with Apple was launched in June 2019 and promoted as a “more private way” to sign into apps and website. It is designed to allow users to create accounts for third-party services with a minimal amount of personal information, only requiring the user to provide a name and email address.
Bhavuk Jain, a 27-year-old Indian full-stack developer and researcher, who discovered the flaw in the “Sign in with Apple” system found that the bug affected third-party apps and websites that used user’s Apple ID for authentication, but didn’t implement their own additional security measures.
“The impact of this vulnerability was quite critical as it could have allowed full account takeover. A lot of developers have integrated Sign in with Apple since it is mandatory for applications that support other social logins,” Bhavuk Jain wrote in a blog post about the now-patched vulnerability.
“To name a few that use Sign in with Apple – Dropbox, Spotify, Airbnb, Giphy (Now acquired by Facebook). These applications were not tested but could have been vulnerable to a full account takeover if there weren’t any other security measures in place while verifying a user.”
According to Jain, the ‘Sign in with Apple’ works similarly to ‘OAuth 2.0’.
“There are two possible ways to authenticate a user by either using a JWT (JSON Web Token) or a code generated by the Apple server. The code is then used to generate a JWT. The below diagram represents how the JWT creation and validation works,” Jain explained.
“In the 2nd step, while authorizing, Apple gives an option to a user to either share the Apple Email ID with the 3rd party app or not. If the user decides to hide the Email ID, Apple generates its own user-specific Apple relay Email ID. Depending upon the user selection, after successful authorization, Apple creates a JWT which contains this Email ID which is then used by the 3rd party app to login a user.
“I found I could request JWTs for any Email ID from Apple and when the signature of these tokens was verified using Apple’s public key, they showed as valid. This means an attacker could forge a JWT by linking any Email ID to it and gaining access to the victim’s account.”
Jain who found the flaw in April privately reported the bug to Apple under the company’s Security Bounty program. He received a hefty $100,000 payout from Apple for discovering and reporting the vulnerability.
Before patching the bug, Apple conducted its own investigation of its logs and confirmed that there was no misuse or account compromised due to this vulnerability.