Apple just had a close shave with a security threat. The tech giants have expressed their gratitude to Indian researcher, Bhavuk Jain, for discovering a potential threat in its sign in with Apple system.
A whopping sum of $100,000 was given to the researcher by the tech giants. The company also affirmed that its examination, to determine if there was any compromise with users’ data, came up negative.
On how he found the vulnerability, Bhavuk explained that the absence of validation was the key to the discovery. The process of authenticating a user via “sign in with Apple” instigates the generation of a token, JSON Web Token; which contains hidden data used to ascertain the identity of the signing-in user. Absence of this validation could have created an avenue for the attackers to provide a separate Apple ID belonging to a victim, tricking Apple servers into generating JWT payload that was valid to sign in into a 3rd-party service with the victim’s identity.
The company introduced This sign in with Apple last year in a bid to combat privacy issues. This move was employed as a privacy-preserving login mechanism. This means that users can sign up with third-party platforms and not have to use their email addresses.
If the vulnerability had been left unchecked, hackers would have gained access to users’ accounts on third-party apps by bypassing authentication.
In a press release, Bhavuk explained that the method employed by Apple to ascertain a user on the client-side, before initiating a request from Apple’s authentication Servers was instrumental in locating the vulnerability. The vulnerability functioned even in the absence of users’ email ID; and could be exploited to create a new account using the victim’s Apple ID.
The researcher believes that some services and apps offering sign in with Apple might have implemented another authentication method; which could allay the problems of hacking.
Bhavuk said, “I found I could request JWTs for any Email ID from Apple, and when the signature of these tokens was verified using Apple’s public key, they showed as valid. This means an attacker could forge a JWT by linking any Email ID and gaining access to the victim’s account. The impact of this vulnerability was quite critical, as it could have allowed a full account takeover. Many developers have integrated sign in with Apple since it is mandatory for applications that support other social logins. To name a few that use the sign in with Apple – Dropbox, Spotify, Airbnb, Giphy (now acquired by Facebook).”
