{"id":113597,"date":"2020-05-30T21:10:07","date_gmt":"2020-05-30T21:10:07","guid":{"rendered":"https:\/\/appleinsider.com\/articles\/20\/05\/30\/sign-in-with-apple-bug-discovery-earns-developer-100000"},"modified":"2020-05-30T21:10:07","modified_gmt":"2020-05-30T21:10:07","slug":"sign-in-with-apple-bug-discovery-earns-developer-100000","status":"publish","type":"post","link":"https:\/\/sickgaming.net\/blog\/2020\/05\/30\/sign-in-with-apple-bug-discovery-earns-developer-100000\/","title":{"rendered":"Sign in with Apple bug discovery earns developer $100,000"},"content":{"rendered":"<div><img decoding=\"async\" src=\"https:\/\/www.sickgaming.net\/blog\/wp-content\/uploads\/2020\/05\/sign-in-with-apple-bug-discovery-earns-developer-100000.jpg\" class=\"ff-og-image-inserted\"><\/div>\n<p>Details of a now-patched vulnerability in the &#8220;Sign in with Apple&#8221; account authentication have been revealed, a zero-day that could have allowed an attacker to take control of a user&#8217;s account. <\/p>\n<div class=\"col-sm-12\">\n<p>Launched in 2019, &#8220;<a href=\"https:\/\/appleinsider.com\/articles\/19\/11\/07\/how-to-use-sign-in-with-apple-and-manage-your-log-in-information\">Sign in with Apple<\/a>&#8221; is intended to be a more privacy-focused alternative to website and app log-in systems powered by Facebook and Google accounts. By minimizing the amount of a user&#8217;s data that is used for authentication and account creation, the API also helped reduce the amount of tracking Facebook and Google performed on users, in turn making it more private. <\/p>\n<\/div>\n<div class=\"col-sm-12\">\n<p><a href=\"https:\/\/bhavukjain.com\/blog\/2020\/05\/30\/zeroday-signin-with-apple\/\">Disclosed<\/a> on Saturday by security-focused developer Bhavuk Jain, a zero-day vulnerability in Sign in with Apple had the potential to let an attacker gain access to, and fully take over, a user&#8217;s account on a third-party application. According to Jain, the bug would have enabled a change in control of the application&#8217;s user account, regardless of whether the user had a valid Apple ID or not. <\/p>\n<\/div>\n<div class=\"col-sm-12\">\n<p>The way Sign in with Apple functions is that it relies on either a JSON Web Token (JWT) or a code generated by Apple&#8217;s servers, with the latter used to generate a JWT if it doesn&#8217;t exist. While authorizing, Apple provides users with options to either share or hide their Apple Email ID with the third-party app, with a user-specific Apple relay email ID created for the latter selection. <\/p>\n<\/div>\n<div class=\"col-sm-12\">\n<p>After a successful authorization, Apple produces a JWT, which contains the email ID, and is used by the third-party application to log the user in. <\/p>\n<\/div>\n<div class=\"col-sm-12\">\n<p>Jain discovered in April it was possible to request a JWT for any email ID, and when the signature of the token is verified using Apple&#8217;s public key, they are deemed to be valid. In effect, an attacker could create a JWT through this process, and gain access to the victim&#8217;s account. <\/p>\n<\/div>\n<div class=\"col-sm-12\">\n<p>As Apple mandates the inclusion of Sign in with Apple in apps with other social-based login systems, the attack had a very broad base of apps that it was theoretically effective against. An investigation by Apple&#8217;s security team determined the vulnerability has not been used in any attacks. <\/p>\n<\/div>\n<div class=\"col-sm-12\">\n<p>Jain responsibly disclosed the flaw to Apple, which led to an award from Apple&#8217;s <a href=\"https:\/\/appleinsider.com\/articles\/19\/12\/20\/apple-ups-security-bug-bounty-payouts-to-1000000\">bug bounty program<\/a> worth $100,000. Apple has since patched the vulnerability, but it isn&#8217;t clear exactly how yet.<\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>Details of a now-patched vulnerability in the &#8220;Sign in with Apple&#8221; account authentication have been revealed, a zero-day that could have allowed an attacker to take control of a user&#8217;s account. Launched in 2019, &#8220;Sign in with Apple&#8221; is intended to be a more privacy-focused alternative to website and app log-in systems powered by Facebook [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":113598,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[57],"tags":[],"class_list":["post-113597","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-apple-insider"],"_links":{"self":[{"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/posts\/113597","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/comments?post=113597"}],"version-history":[{"count":0,"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/posts\/113597\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/media\/113598"}],"wp:attachment":[{"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/media?parent=113597"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/categories?post=113597"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/tags?post=113597"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}