A bug bounty hunter has received a $100,000 reward from Apple as an award for discovering a severe security issue. The bug bounty hunter is a researcher who goes by the name Bhavuk Jain.
Jain found a severe security issue that would have led to users' accounts being taken over if the wrong person first discovered the bug.
The Vulnerability of the Apple ID System
Hacker News reported that Jain discovered that the Sign in with Apple feature had a vulnerability. It's a developer feature that lets users sign in to any service using it with their Apple IDs.
The Sign in with Apple feature was a feature that Apple came up with so that they could improve privacy and create sign-in procedures for non-Apple-affiliated websites and apps with Apple's processes for IDs and two-factor authentication.
It didn't stop Jain from finding a severe authentication bypass that ignored all authentication and hijacked the accounts of third-party users, while only having to know the target's email ID.
The bug bounty hunter, Jain, previously discovered bugs in Verizon Media, Udemy, Zomato, and Bumble. The flaw in security was because of how client-side user validation requests get processed by Apple.
In a post on Jain's blog, he states that Apple authenticates users using a code generated by their servers or a JSON Web Token.
Users have a choice between sharing their email ID or not with the third-party they're trying to log in to with their Apple ID as a part of the authentication procedure. If the user hides their email ID, Apple generates a JWT that contains this information, which the third-party service uses for user authentication instead of the email ID directly.
The bug bounty hunter discovered Apple's handling of JWT requests had a validation conflict when compared to the user's authentication when they login to the account before they start requests.
Jain found that he could have any email ID and request JWTs from Apple, and when Apple's public key verified the signature of the tokens, they would be validated. It means that if an attacker can forge a JWT by linking any email ID he wants, it would give them access to the account he's trying to gain access to with the attack.
The missed step in the validation process means that any third-party service that uses Sign in with Apple is vulnerable to being abused. User accounts have been susceptible to being hijacked from any accounts or services linked to their Apple ID.
A full account takeover is possible due to how critically impactful the vulnerability was since numerous developers have integrated the Sign in with Apple feature. Developers must integrate when they make applications that support other social network logins on Apple devices.
The Apple ID Vulnerability is No More
After Apple accepted Jain's report, they investigated their server's logs, and it seems the security flaw was exploited by anyone so far whatsoever. However, from how severe this authentication bypass was, it could be a way for someone to compromise the data of iCloud accounts.
Jain reported the bug through the Apple Security Bounty program, which is how Jain earned the reward of $100,000. Apple has patched the vulnerability.