A flaw was found in the “Sign in with Apple” option by a researcher named Bhuvak Jain through Apple’s bug bounty program. Apple introduced the ”Sign in with Apple“ option with one thing in mind. Privacy. But the now fixed exposure in that option made attackers influence user accounts at correlated third-party services.
Sign in with Apple is a single sign-on provider operated by Apple Inc. With the help of Sign in with Apple which was introduced in WWDC 2019, users were allowed to log into third-party apps by using biometrics. This feature helped users to hide their Email ID from the third-party apps.
According to The Hacker News, the vulnerability opened while validating users. ”on the client-side before initiating a request from Apple’s authentication services” the validation process includes the generation of a JSON Web Token which is used by the third-party apps while Apple validates the user. The attackers replaced that token and tricked Apple’s authentication.
In Jain’s blog, he wrote: ”The impact of this vulnerability was quite critical as it could have allowed full account takeover. A lot of developers have integrated Sign in with Apple since it is mandatory for applications that support other social logins. To name a few that use Sign in with Apple – Dropbox, Spotify, Airbnb, Giphy (Now acquired by Facebook),”
As per the Bug Bounty program, Jain was rewarded $100,000 for his discovery which was forfeited by Apple’s server log.
