Apple sign-in has a zero-day vulnerability, Indian programmer discovers2 min read . Updated: 31 May 2020, 03:36 PM IST
- The vulnerability affects third-party apps using Apple's authentication without deploying additional security
- Apple found the vulnerability had not been misused and no accounts had been compromised due to it
A 'zero-day' vulnerability was detected in Apple's ‘sign-in with Apple’ account authentication in April by an Indian security programmer Bhavuk Jain who claims to have been paid $100,000 (approx Rs7.5 million) by Apple under their Apple Security Bounty program.
The vulnerability is believed to affect third-party apps which were using Apple's authentication but didn’t deploy any additional security measures of their own. If exploited, it could have allowed attackers to take full control over user accounts on third party apps.
Mint could not secure a confirmation on this from Apple. According to Jain, after the matter was brought to their attention, Apple conducted an investigation of their logs and found the vulnerability had not been misused and no accounts had been compromised due to it.
In his official blog post, Jain explains 'sign in with Apple' works similarly to ‘OAuth 2.0’. It authenticates a user by either using a JWT (JSON Web Token) or a code generated by the Apple server.
In the first process, users start by sending an authentication request to Apple authentication server, which grants authorisation by exchanging JWT with users. The JWT is then sent to the third party app for verification. The third party app then sends the JWT to Apple's authentication server using Apple's public key. After the verification by Apple, users are allowed to login into the app using JWT.
In case of the second process where a code is generated by Apple server, Apple provides users the choice to share their Apple email ID with the third party app or not. If they don't want to share the Apple ID with the developers, Apple generates its own user-specific Apple relay email ID. Whichever way users choose to do this, once authorisation is completed, Apple creates a JWT which contains the email ID which is then used by the app to let users login.
Jain found that attackers could forge a JWT by linking any email ID to it and gain unfettered access to the users' app account.
Attackers could request JWTs for any email ID from Apple and when the signature of these tokens was verified using Apple’s public key, they showed as valid, adds Jain.
Many developers have integrated 'sign in with Apple' for their apps just like other social logins as Apple had made it mandatory for apps that support third party sign-ins. Introduced in 2019, the Apple authentication allows users to sign into their apps and websites using their Apple ID.
Unlike other third party sign-ins, Apple's authentication allowed users the option to not share their email address with third party apps and generated a random email ID for them. This was meant to strengthen user privacy and make them feel less exposed.
In 2018, Facebook had to revoke access tokens for around 90 million users after it was found that attackers were harvesting access tokens by exploiting bugs in Facebook's codes that were introduced after a video uploader was added to the social network in 2017.