A researcher recently found a critical Apple vulnerability that, if exploited, could enable remote attackers to abuse the “Sign in with Apple” feature to take over victims’ third-party application accounts. The security researcher, Bhavuk Jain, reported the flaw to Apple via its bug bounty program, and was awarded $100,000 for the find.
The flaw stemmed from the “Sign in with Apple” feature, which was introduced by Apple at its Worldwide Developers Conference last year. Sign in with Apple aimed to make it easy and secure for Apple users to sign into third-party apps and websites. It did this by implementing an Apple-backed authentication system to replace social logins on third-party services.
“In the month of April, I found a zero-day in Sign in with Apple that affected third-party applications which were using it and didn’t implement their own additional security measures,” said Jain, in his disclosure of the bug on Sunday. “This bug could have resulted in a full account takeover of user accounts on that third party application irrespective of a victim having a valid Apple ID or not.”
Apple has since fixed the flaw. Threatpost has reached out to Apple for further comment.
One of the highlights of Sign in with Apple is that users could sign up with third-party services without needing to disclose their Apple ID email address to these services. This worked because Sign in with Apple would first validate users on the client side, and then initiate a JSON Web Token (JWT) request from Apple’s authentication services. This JWT would then be used by the third-party app to confirm the user’s identity.
The issue was that after Apple validated the user on the client side via their Apple ID email address, it did not verify that the JWT request was from that actual user account. An attacker could abuse this flaw by providing an Apple ID email that belongs to the victim and tricking Apple servers into generating a valid JWT payload. Once an attacker does this, he can then sign into a third-party app using the victim’s identity.
“I found I could request JWTs for any Email ID from Apple and when the signature of these tokens was verified using Apple’s public key, they showed as valid,” he said. “This means an attacker could forge a JWT by linking any Email ID to it and gaining access to the victim’s account.”
According to The Hacker News, the flaw could be exploited even if users had decided to hide their email IDs from third-party services. It could also be exploited to sign up new accounts with victims’ Apple IDs.
There are two hoops that attackers would need to jump through to make this exploit work. First, they would need an email ID for an Apple user – though that could be any Apple user’s email ID. Second, they would need to log into a third-party app via Sign in with Apple that didn’t require any further security measures.
Jain said the impact of this vulnerability is “quite critical” as it could allow full account takeover. Many developers have integrated Sign in with Apple into their services, including Dropbox, Spotify, Airbnb, and Giphy.
“These applications were not tested but could have been vulnerable to a full account takeover if there weren’t any other security measures in place while verifying a user,” Jain said.
Jain said that Apple conducted an investigation of their logs and determined there was no misuse or account compromise due to this vulnerability. The researcher found the flaw in April and reported it via Apple’s bug bounty program which earned him $100,000. Threatpost has reached out to Jain for further details on the timeline of discovering and reporting the flaw.
Apple in December 2019 opened up its historically private bug-bounty program to the public, bolstering its top payout to $1 million, in an effort to weed out serious vulnerabilities. Another Apple flaw recently disclosed in April earned a bug bounty hunter $75,000 for finding Safari flaws that could be exploited to snoop on iPhones, iPads and Mac computers using their microphones and cameras.
Concerned about the IoT security challenges businesses face as more connected devices run our enterprises, drive our manufacturing lines, track and deliver healthcare to patients, and more? On June 3 at 2 p.m. ET, join renowned security technologist Bruce Schneier, Armis CISO Curtis Simpson and Threatpost for a FREE webinar, Taming the Unmanaged and IoT Device Tsunami. Get exclusive insights on how to manage this new and growing attack surface. Please register here for this sponsored webinar.