The vulnerability allows an attacker to authenticate himself as any user to a service or app that uses the Apple login service. This would allow the attacker to act as this user within the service or app, to completely take over the Apple account within this context.
After authentication with the Apple login server is complete, an exchange begins between the third party service or app and the Apple server web tokens. Here,experts were able to inject modified tokens with a foreign identity and pretend to be the third party provider as this identity because Apple did not check whether the originally authenticated user and the user identity in the tokens match.
The method also worked if the Apple identity remained hidden from the third party provider and even if a new Apple user identity was created with the login. Third party providers who implement a second authentication method in addition to Apple’s login service were unlikely to be affected by the problem.
In an interview with The Hacker News, Bhavuk Jain revealed that the vulnerability he discovered resided in the way Apple was validating a user on the client-side before initiating a request from Apple’s authentication servers.
Fixed Bug In Apple’s Code
Apple has closed the gap before it became known. The error was in Apple’s code alone, not in other implementation. According to the company, after evaluating the server logs, no case was found in which this vulnerability was used to take the identity of a user without authorization. Apple’s registration alternative to similar services from Google is intended to provide a convenient, secure authentication method for Apple users who do not want to create a separate user account for each app. Since autumn, apps in Apple’s app stores have had to implement the service if they are already using comparable services from competitors.
As an alternative to the update, you can also simply switch to another mail app. Gmail users can use the Gmail app, for example. Anyone who spends a lot of time on the PC may be happy with the app. If you are looking for a more flexible mail client, you should try another one. Not only is it chic to look at, it also offers a few cool additional options that Apple’s standard mailer lacks.It is not necessary, but if you like, you can also delete the mail app from the iPhone. Simply tap the app icon a little harder and select it from the Delete app menu.