Apple has paid a developer nearly $150,000 after he discovered a “critical” flaw in its sign-in function that could have allowed hackers to take over accounts on major third-party apps.
The tech giant launched the ‘Sign in with Apple’ feature last year as a more privacy-preserving way for users to sign into third-party applications such as Dropbox, Spotify, Airbnb and Giphy.
It was designed as an alternative for apps that allow users to sign in using their Facebook or Google accounts, as a way to minimise the amount of data collected on users.
The feature “makes it easier for users to sign in to your apps and websites using their Apple ID”, the company said.
“Instead of filling out forms, verifying email addresses, and choosing new passwords, they can use ‘Sign in with Apple’ to set up an account and start using your app right away,” Apple said when announcing the feature.
“All accounts are protected with two-factor authentication for superior security, and Apple will not track users’ activity in your app or website.”
But in April, Indian developer Bhavuk Jain discovered a huge hole in the function’s security, allowing anyone to access a user’s account on these third-party apps just by having their email that is linked with their Apple account.
Jain notified Apple of the flaw, which has now been patched.
He has been paid $US100,000 for his troubles through Apple’s bug bounty program.
In a blog post over the weekend, Jain detailed the vulnerability, which would have allowed anyone to access a user’s account on third party apps using just their Apple ID email address.
“This bug could have resulted in a full account takeover of user accounts on that third-party application irrespective of a victim having a valid Apple ID or not,” Jain wrote.
“The impact of this vulnerability was quite critical as it could have allowed full account takeover. A lot of developers have integrated ‘Sign in with Apple’ since it is mandatory for applications that support other social logins.”
The issue was with how Apple validated a user trying to sign into a third-party app using the function on the client side.
The ‘Sign in with Apple’ service relies on a JSON Web Token (JWT) or a code generated by Apple’s servers.
Users are given the option to share their Apple email ID with the app or to hide it, with a new email created if the latter option is selected.
Apple then produces a JWT which contains the email ID, and this is used by the third-party application to authenticate the identity of the user and log them in.
But Jain discovered earlier this year that while Apple was asking users to log in using their ID before initiating a request with its own servers, it wasn't making sure the same person was requesting the authentication token on the next step.
This meant that someone could provide an Apple email ID belonging to someone else and easily manipulate the system into generating the token needed to sign in.
“This means an attacker could forge a JWT by linking any email ID to it and gaining access to the victim’s account,” Jain said.
If the third-party apps did not have any other security measures in place, hackers could have utilised the vulnerability to log into user’s accounts on major apps such as Dropbox and Spotify which offer the ‘Sign in with Apple’ feature.
“These applications were not tested but could have been vulnerable to a full account takeover if there weren’t any other security measures in place while verifying a user,” Jain said.
Apple said it has now patched this vulnerability after Jain alerted them to it, and that it hadn’t been used as part of any attacks.