Sign in with Apple vulnerability could have led to account takeovers

Critical vulnerability was discovered by a security researcher who responsibly reported it to Apple

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

A critical vulnerability inApple’s ‘Sign in with Apple’ system could have allowed remote attackers to take over targeted user accounts on third-party services and apps.

The company’s Sign in with Apple feature, which launched atWWDC 2019, gives users the ability to login to third-party apps and websites using theirApple ID. The feature also helps protect users' privacy as they can use its ‘hide my email’ function to withhold their email addresses from apps and sites.

Independent security researcher Bhavuk Jain first discovered the bug in Sign in with Apple last month and the company paid him a $100,000bug bountyafter he responsibly disclosed it. In ablog post, Jain explained just how serious this now-patched vulnerability could have been, saying:

“The impact of this vulnerability was quite critical as it could have allowed full account takeover. A lot of developers have integrated Sign in with Apple since it is mandatory for applications that support other social logins. To name a few that use Sign in with Apple - Dropbox, Spotify, Airbnb, Giphy (Now acquired by Facebook). These applications were not tested but could have been vulnerable to a full account takeover if there weren’t any other security measures in place while verifying a user.”

Sign in with Apple

The Sign in with Apple system works in a similar way to OAuth 2.0 and users can be authenticated by either using a JSON Web Token (JWT) or a code generated by the company’s server which is then used to generate a JWT.

Jain discovered that he could request JWTs for any Email ID from Apple and when the signature of these tokens was verified using Apple’s public key, they showed as valid. As a result, an attacker could forge a JWT by linking any Email ID to it and this would grant them access to the victim’s linked accounts.

After Jain submitted his findings to Apple, the company conducted an investigation of its logs and determined that there was no misuse or account compromise that exploited the vulnerability.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Thankfully Jain disclosed the vulnerability in a timely manner before it could become azero-daywhere a flaw is discovered and exploited before a fix for the issue is made available.

ViaThe Hacker News

After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home.

HPE reveals critical security bug affecting networking access points

A critical Palo Alto Networks bug is being hit by cyberattacks, so patch now

Ireland vs New Zealand live stream: how to watch 2024 rugby union Autumn International online from anywhere