{"id":29105,"date":"2020-06-01T16:13:24","date_gmt":"2020-06-01T20:13:24","guid":{"rendered":"https:\/\/mjtsai.com\/blog\/?p=29105"},"modified":"2020-06-01T16:13:24","modified_gmt":"2020-06-01T20:13:24","slug":"sign-in-with-apple-vulnerability","status":"publish","type":"post","link":"https:\/\/mjtsai.com\/blog\/2020\/06\/01\/sign-in-with-apple-vulnerability\/","title":{"rendered":"Sign in With Apple Vulnerability"},"content":{"rendered":"<p><a href=\"https:\/\/bhavukjain.com\/blog\/2020\/05\/30\/zeroday-signin-with-apple\/\">Bhavuk Jain<\/a> (via <a href=\"https:\/\/www.macrumors.com\/2020\/05\/30\/sign-in-with-apple-vulnerability\/\">MacRumors<\/a>, <a href=\"https:\/\/news.ycombinator.com\/item?id=23362149\">Hacker News<\/a>):<\/p>\n<blockquote cite=\"https:\/\/bhavukjain.com\/blog\/2020\/05\/30\/zeroday-signin-with-apple\/\">\n<p>In the month of April, I found a zero-day in Sign in with Apple that affected third-party applications which were using it and didn&rsquo;t implement their own additional security measures. This bug could have resulted in a full account takeover of user accounts on that third party application irrespective of a victim having a valid Apple ID or not.<\/p>\n<p>For this vulnerability, I was paid $100,000 by Apple under their Apple Security Bounty program.<\/p>\n<p>[&#8230;]<\/p>\n<p>I found I could request JWTs for any Email ID from Apple and when the signature of these tokens was verified using Apple&rsquo;s public key, they showed as valid. This means an attacker could forge a JWT by linking any Email ID to it and gaining access to the victim&rsquo;s account.<\/p>\n<\/blockquote>\n\n<p>See also:<\/p>\n<ul>\n<li><a href=\"https:\/\/openid.net\/2019\/06\/27\/open-letter-from-the-openid-foundation-to-apple-regarding-sign-in-with-apple\/\">Open Letter from the OpenID Foundation to Apple Regarding Sign In with Apple<\/a> (via <a href=\"https:\/\/www.macrumors.com\/2019\/06\/30\/openid-claims-sign-in-with-apple-privacy-risk\/\">MacRumors<\/a>, <a href=\"https:\/\/news.ycombinator.com\/item?id=20311000\">Hacker News<\/a>)<\/li>\n<li><a href=\"https:\/\/danpalmer.me\/2019-07-02-on-signing-in-with-apple\/\">Design Issues of Sign in with Apple<\/a><\/li>\n<li><a href=\"https:\/\/openid.net\/2019\/09\/30\/apple-successfully-implements-openid-connect-with-sign-in-with-apple\/\">Apple Successfully Implements OpenID Connect with Sign In with Apple<\/a> (via <a href=\"https:\/\/appleinsider.com\/articles\/19\/10\/02\/sign-in-with-apple-better-but-not-perfect-says-openid-foundation-head\">AppleInsider<\/a>, <a href=\"https:\/\/news.ycombinator.com\/item?id=21149820\">Hacker News<\/a>)<\/li>\n<\/ul>\n\n<p>Previously:<\/p>\n<ul>\n<li><a href=\"https:\/\/mjtsai.com\/blog\/2020\/05\/19\/apple-vs-security-researchers\/\">Apple vs. Security Researchers<\/a><\/li>\n<li><a href=\"https:\/\/mjtsai.com\/blog\/2019\/06\/14\/sign-in-with-apple\/\">Sign in With Apple<\/a><\/li>\n<\/ul>","protected":false},"excerpt":{"rendered":"<p>Bhavuk Jain (via MacRumors, Hacker News): In the month of April, I found a zero-day in Sign in with Apple that affected third-party applications which were using it and didn&rsquo;t implement their own additional security measures. This bug could have resulted in a full account takeover of user accounts on that third party application irrespective [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"apple_news_api_created_at":"2020-06-01T20:13:27Z","apple_news_api_id":"b0f6dfd3-15bc-486c-8bd2-b76a9a971a36","apple_news_api_modified_at":"2020-06-01T20:13:27Z","apple_news_api_revision":"AAAAAAAAAAD\/\/\/\/\/\/\/\/\/\/w==","apple_news_api_share_url":"https:\/\/apple.news\/AsPbf0xW8SGyL0rdqmpcaNg","apple_news_coverimage":0,"apple_news_coverimage_caption":"","apple_news_is_hidden":false,"apple_news_is_paid":false,"apple_news_is_preview":false,"apple_news_is_sponsored":false,"apple_news_maturity_rating":"","apple_news_metadata":"\"\"","apple_news_pullquote":"","apple_news_pullquote_position":"","apple_news_slug":"","apple_news_sections":"\"\"","apple_news_suppress_video_url":false,"apple_news_use_image_component":false,"footnotes":""},"categories":[2],"tags":[131,31,1667,1950,355,48,1823],"class_list":["post-29105","post","type-post","status-publish","format-standard","hentry","category-technology","tag-bug","tag-ios","tag-ios-13","tag-open","tag-privacy","tag-security","tag-sign-in-with-apple"],"apple_news_notices":[],"_links":{"self":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/29105","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/comments?post=29105"}],"version-history":[{"count":1,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/29105\/revisions"}],"predecessor-version":[{"id":29106,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/29105\/revisions\/29106"}],"wp:attachment":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/media?parent=29105"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/categories?post=29105"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/tags?post=29105"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}