Security researcher scoops $100,000 bounty for helping squash Sign in with Apple bug

By

Sign in with Apple
Now hopefully bug-free.
Photo: Apple

A security vulnerability with “Sign in with Apple” could have allowed hackers to carry out a full account takeover of user accounts accessed using the feature. Fortunately, the bug was spotted by India-based security researcher Bhavuk Jain.

In a blog post published over the weekend, Jain noted that he made Apple aware of the vulnerability back in April. It was subsequently fixed. Thanks to Apple’s bug bounty program, he was then paid $100,000 as a thank you from the Cupertino tech giant.

The bug involved an issue with the web tokens generated for use Sign in with Apple. Jain noted that the vulnerability made it possible for anyone to request tokens for any email ID from Apple. These could then be used as tokens to verify identity. This would let attackers forge a token by linking it to an email ID to it. They could then use this to gain access to a victim’s account.

“The impact of this vulnerability was quite critical as it could have allowed full account takeover,” wrote Bhavuk Jain. “A lot of developers have integrated Sign in with Apple since it is mandatory for applications that support other social logins. To name a few that use Sign in with Apple – Dropbox, Spotify, Airbnb, Giphy (Now acquired by Facebook). These applications were not tested but could have been vulnerable to a full account takeover if there weren’t any other security measures in place while verifying a user.”

According to Jain, Apple carried out an investigation and determined that no accounts were compromised due to this Sign in with Apple bug.

Apple’s bug bounty

Apple introduced its new, improved bug bounty program at the Black Hat conference in Las Vegas last summer. Apple pays up to $1 million for some discovered vulnerabilities in its software. The amount Apple pays out is tied to the potential severity of the problem discovered. For example, a $1 million reward requires a person to discover a zero-click, full chain kernel code execution attack. Meanwhile, $500,000 is for a network attack requiring no user interaction. Vulnerabilities that are found before a piece of software is released can earn a 50% bonus.

Sign in with Apple was a feature introduced in iOS 13. It is a privacy focused — and now, hopefully, bug-free — login system that Apple requires is supported by any apps that use third-party login services like Facebook.