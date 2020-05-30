Researcher Bhavuk Jain discovered a critical Login with Apple vulnerability in April that could have resulted in the takeover of some user accounts. The bug was specific to third-party applications that used Sign In With Apple and did not implement additional security measures.



Jain notes that Signing in with Apple works by authenticating a user through a JWT (JSON Web Token) or code generated by the Apple server. Apple then gives users the option to share the email linked to their Apple ID or a private relay email address, creating a JWT that is used to log in to a user.

Later, Jain discovered that once JWTs were requested for both Apple ID emails and private relay email addresses and the token signature was verified using Apple's public key, "it was shown to be valid " If the error was not discovered, a JWT could be created and used to gain access to the account.

In an interview with The Hacker NewsJain spoke about the seriousness of the error:

The impact of this vulnerability was quite critical as it could have allowed a full account acquisition. Many developers have integrated Log in with Apple, as it is required for applications that support other social logins. To name a few who use Sign in with Apple: Dropbox, Spotify, Airbnb, Giphy (now purchased by Facebook).

According to Jain, Apple conducted an investigation and concluded that no account was compromised with this method before the vulnerability was fixed. Jain received $ 100,000 from Apple under his Apple Security Bounty Program for reporting the error.