Indian Security Researcher gets paid by Apple Rs.75 lakh/- for reporting a flaw in ‘Sign in with Apple’
The Zero Day vulnerability could have allowed a hacker to break into an apple user’s account to log into third party apps like Dropbox,spotify etc.
Bhavuk Jain has a bachelors degree in electronic and telecommunication discovered Zero Day bug in ‘Sign in with apple’ that affects third party applications when using it, and didn’t implement on additional security measures.
“For this vulnerability I was paid $100,000 by Apple under the Apple security bounty program” he said
Jain is a full stack developer interested mostly in mobile app development using react native. He is currently a full-time bug bounty hunter “trying to make the internet a safer place for everyone”
In 2019 Apple launched ‘sign in with Apple’ for more privacy focused alternative to third-party logins
Bhavuk Jain disclosed the flaw to Apple which led to an award from Apple‘s bug Bounty program. Apple than corrected the bug
According to Jain the Sign in with Apple work similarly to ‘OAuth 2.0’.
“There are two possible ways to authenticate a user by either using a JWT (JSON web Token) or a code generated by the Apple server. The code is then used to generate a JWT”, he explained
In the second step, while authorizing, Apple gives an option to a user to either share the Apple email ID with a third-party app or not.
If the user decides to hide the email ID, Apple generate its own user specific Apple relay email ID.
Jain said “depending upon the user selection, after successful authorization, Apple creates a JWT which contains this email ID which is then used by the third-party app to login user”
He found that he could request JWT for any email ID from Apple and when the signature of these tokens was verified using Apple‘s public key, they showed as valid.
“This means an attacker could forge a JWT by linking any email ID to it and gaining access to the victim‘s account,” Jain noted.
The impact of this vulnerability was quite critical as it could have allowed full account takeover.