Sign in With Apple Vulnerability

Bhavuk Jain (via MacRumors, Hacker News):

In the month of April, I found a zero-day in Sign in with Apple that affected third-party applications which were using it and didn’t implement their own additional security measures. This bug could have resulted in a full account takeover of user accounts on that third party application irrespective of a victim having a valid Apple ID or not.

For this vulnerability, I was paid $100,000 by Apple under their Apple Security Bounty program.

[…]

I found I could request JWTs for any Email ID from Apple and when the signature of these tokens was verified using Apple’s public key, they showed as valid. This means an attacker could forge a JWT by linking any Email ID to it and gaining access to the victim’s account.

See also:

• Open Letter from the OpenID Foundation to Apple Regarding Sign In with Apple (via MacRumors, Hacker News)
• Design Issues of Sign in with Apple
• Apple Successfully Implements OpenID Connect with Sign In with Apple (via AppleInsider, Hacker News)

Previously:

• Apple vs. Security Researchers
• Sign in With Apple

Bug iOS iOS 13 open Privacy Security Sign In with Apple

Comments RSS · Twitter

Leave a Comment

Name

E-mail (will not be published)

Web site

Δ