In 2019, Apple announced a Sign in with Apple option for users who preferred not to share personal email addresses with the third-party apps and services they use on their devices. The feature, which was announced at the Apple Worldwide Developers Conference as a way to protect user privacy, has since been compromised.
According to a report from iMore, security researcher Bhavuk Jain recently discovered a critical flaw within the feature on iOS devices. If exploited, the flaw would allow remote attacks from anyone looking to take over third-party app accounts, including Spotify, Dropbox, and Giphy, from unsuspecting victims. After finding the vulnerability, Jain reported it to Apple through the company’s bug bounty program, and he has been awarded $100,000 for his discovery.
Jain also broke down his findings in a blog post on his website.
“I found a zero-day in Sign in with Apple that affected third-party applications which were using it and didn’t implement their own additional security measures,” he wrote.
“This bug could have resulted in a full account takeover of user accounts on that third party application irrespective of a victim having a valid Apple ID or not.”
“I found I could request JWTs for any Email ID from Apple and when the signature of these tokens was verified using Apple’s public key, they showed as valid. This means an attacker could forge a JWT by linking any Email ID to it and gaining access to the victim’s account.”
Apple has since patched the flaw and assured users that there was no previous misuse or account takeovers caused by the bug.
Tired of creating new passwords for every app you use? Look for the Sign in with Apple button to sign in securely with the Apple ID you already have.
— Apple Support (@AppleSupport) January 6, 2020
This isn’t the first time Apple has reached into its pockets to compensate folks for finding and reporting bugs in its software. In 2019, the company paid a teenage boy, 14-year-old Grant Thompson, for bringing a FaceTime bug to its attention, as previously reported by The Inquisitr.
Before being patched by Apple, the bug could have been triggered through the FaceTime app by using the Group FaceTime feature. The vulnerability allowed callers to tap in and listen to the surroundings or conversations of anyone they’re trying to call, even if the other person opted to ignore the call. There were also cases of callers gaining access to the cameras of some users.
Over the years, these bug bounty programs have become standard across the tech industry. Apple currently offers up to $200,000 in cash awards via its bounty program, which was officially introduced in 2016.