A now-patched vulnerability in Sign in with Apple let attackers access user accounts at linked third-party services. The flaw was discovered by researcher Bhavuk Jain, who reported the problem to Apple through the company’s bug bounty program.

As detailed by The Hacker News, the vulnerability relied on how Apple validated users “on the client side before initiating a request from Apple’s authentication services.” The Sign in with Apple authentication process consists of the server generating a JSON Web Token, which the third-party app uses to confirm the user’s indemnity.

The vulnerability forged a token and tricked Apple’s authentication process:

Bhavuk found that though Apple asks users to log in to their Apple account before initiating the request, it was not validating if the same person is requesting JSON Web Token (JWT) in the next step from its authentication server.

Therefore, the missing validation in that part of the mechanism could have allowed an attacker to provide a separate Apple ID belonging to a victim, tricking Apple servers into generating JWT payload that was valid to sign in into a 3rd-party service with the victim’s identity.

The impact of the vulnerability could have allowed account takeovers of third-party services that use Sign in with Apple, unless the third-party app had other security measures in place while verifying the users.

“The impact of this vulnerability was quite critical as it could have allowed full account takeover. A lot of developers have integrated Sign in with Apple since it is mandatory for applications that support other social logins. To name a few that use Sign in with Apple – Dropbox, Spotify, Airbnb, Giphy (Now acquired by Facebook),” Jain wrote.

After Jain reported the flaw, Apple fixed the problem and paid out $100,000 to the researcher as per its bug bounty program. Apple says that it investigated server logs and found no evidence that the vulnerability was exploited in the wild.

What’s important to clarify here is that the vulnerability did not allow access to the impacted Apple account. It would have allowed a takeover of the third-party service that a user accessed by logging in using Sign in with Apple. You can read the full report detailing the vulnerability on Jain’s blog.

Apple debuted Sign in with Apple at WWDC last year. It allows users to sign into third-party services using their Apple ID and authenticating with biometrics like Face ID and Touch ID. One of the biggest benefits of the platform is a feature that allows users to hide their email address from the third-party services.

FTC: We use income earning auto affiliate links. More.


Check out 9to5Mac on YouTube for more Apple news:

You’re reading 9to5Mac — experts who break news about Apple and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Mac on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel

About the Author