A vulnerability researcher has reported a highly critical vulnerability affecting Apple’s ‘Sign in with Apple’ system which could have allowed remote attackers to hack any account.
The vulnerability that has been patched now allows the attacker to bypass authentication and take over victim’s accounts on third-party services and apps which have been registered using ‘Sign in with Apple’ option.
The Indian researcher Bhavuk Jain was rewarded with a huge $100,000 bug bounty for reporting the issue.
‘Sign in with Apple’ feature which was launched last year at Apple’s WWDC conference was introduced as a privacy-preserving login technique that allows users to sign up an account with 3rd-party apps without revealing their actual email addresses (also used as Apple IDs).
Bhavuk Jain stated that the vulnerability resided in the way Apple was validating a user on the client-side before initiating a request from Apple’s authentication servers.
While authenticating a user through ‘Sign in with Apple,’ the server generates JSON Web Token (JWT) that includes the secret information that third-party application uses to confirm the identity of the user.
The researcher found that even though Apple asks users to log in to their Apple account before initiating the request, it does not validate whether the same person is requesting JSON Web Token (JWT) in the next step from its authentication server.
So, it is this missing validation that could have allowed an attacker to provide a separate Apple ID belonging to a victim, tricking Apple servers into generating JWT payload that was valid to sign in into a 3rd-party service with the victim’s identity.
According to Bhavuk, he was able to request JWTs for any Email ID from Apple, and when the signature of these tokens was verified using Apple’s public key, they showed as valid. So, an attacker could forge a JWT by linking any Email ID and gaining access to the victim’s account.
He also stated that the vulnerability worked even if the email ID is hidden from the 3rd-party services and can also be exploited to sign up a new account with the victim’s Apple ID.
This vulnerability is considered critical as it could lead to a full account takeover. Many developers have integrated Sign in with Apple since it is mandatory for applications that support other social logins.
The vulnerability resides on the Apple side of code, but it is possible that some services and app offering ‘Sign in with Apple’ to their users might have already been using a second factor of authentication that could mitigate the issue for their users.
Bhavuk reported the issue to the Apple security team last month after which it was patched. Apple also performed an investigation of their server logs and found that no accounts have been compromised.