A developer earns a bug bounty reward for reporting a Sign in with Apple zero-day vulnerability that could allow a hacker to access users’ online accounts.
When the “Sign in with Apple” service debuted in June 2019, it was praised for being a highly private way to authenticate with websites and applications. According to the company’s announcement made at last year’s Worldwide Developers Conference (WWDC) event, it was supposed to become a decent alternative to long-standing counterparts backed by Google and Facebook. Apple has since boiled the primary advantage of their solution down to a focus on privacy and simplicity. The login process can take place without a user having to provide their Apple ID email address when signing in to third-party resources. Furthermore, Apple is reportedly committed to avoiding the questionable practice of profiling users or otherwise harvesting their personal data. This is great, no doubt, but with a caveat. A developer from Delhi named Bhavuk Jain has recently unearthed a critical zero-day flaw in this system that could lead to account takeover in a snap.
Specifically, the researcher found a weak link in the mechanism used to generate a JSON Web Token (JWT) accompanying each authentication session. Normally, this token is key to signing in regardless of whether or not the user is willing to unveil their Apple ID email address to the service or app they are trying to access. According to the analyst, the problem is that a JWT could be created for any email ID, not necessarily the correct one belonging to the user. Apple’s token verification logic wouldn’t identify such an attempt as suspicious. Once the JWT has passed the regular checks with flying colors, it would be signed using Apple’s public key. Effectively, this validated the rogue credentials. At the end of the day, the adversary could compromise an account without raising red flags.
This discovery, obviously, doesn’t get along with Apple’s assurances of both a hassle-free and a private way to authenticate. The loophole had the potential of putting numerous users’ digital well-being at risk. Another concern, perhaps an even more serious one, is that the technology giant had been unaware of this critical imperfection for almost a year. Thankfully, Jain let the company’s engineers know about his findings via the bug bounty program. This earned him a whopping $100,000. Apple has already addressed the flaw by the time of this publication. Its security crew also thoroughly analyzed server logs related to the “Sign in with Apple” framework and came to a conclusion that this bug hasn’t been weaponized in real-world account hijacking campaigns.
For the record, it wasn’t until December 2019 that Apple opened its bug bounty program to everyone, not just a limited number of analysts. Plus, it used to be focused on iOS vulnerabilities only. The discovery in question shows that this was a move in the right direction.