05-31-2020, 01:00 AM
Sign in with Apple bug discovery earns developer $100,000
<div style="margin: 5px 5% 10px 5%;"><img src="https://www.sickgaming.net/blog/wp-content/uploads/2020/05/sign-in-with-apple-bug-discovery-earns-developer-100000.jpg" width="870" height="485" title="" alt="" /></div><div><div><img src="https://www.sickgaming.net/blog/wp-content/uploads/2020/05/sign-in-with-apple-bug-discovery-earns-developer-100000.jpg" class="ff-og-image-inserted"></div>
<p>Details of a now-patched vulnerability in the “Sign in with Apple” account authentication have been revealed, a zero-day that could have allowed an attacker to take control of a user’s account. </p>
<div class="col-sm-12">
<p>Launched in 2019, “<a href="https://appleinsider.com/articles/19/11/07/how-to-use-sign-in-with-apple-and-manage-your-log-in-information">Sign in with Apple</a>” is intended to be a more privacy-focused alternative to website and app log-in systems powered by Facebook and Google accounts. By minimizing the amount of a user’s data that is used for authentication and account creation, the API also helped reduce the amount of tracking Facebook and Google performed on users, in turn making it more private. </p>
</div>
<div class="col-sm-12">
<p><a href="https://bhavukjain.com/blog/2020/05/30/zeroday-signin-with-apple/">Disclosed</a> on Saturday by security-focused developer Bhavuk Jain, a zero-day vulnerability in Sign in with Apple had the potential to let an attacker gain access to, and fully take over, a user’s account on a third-party application. According to Jain, the bug would have enabled a change in control of the application’s user account, regardless of whether the user had a valid Apple ID or not. </p>
</div>
<div class="col-sm-12">
<p>The way Sign in with Apple functions is that it relies on either a JSON Web Token (JWT) or a code generated by Apple’s servers, with the latter used to generate a JWT if it doesn’t exist. While authorizing, Apple provides users with options to either share or hide their Apple Email ID with the third-party app, with a user-specific Apple relay email ID created for the latter selection. </p>
</div>
<div class="col-sm-12">
<p>After a successful authorization, Apple produces a JWT, which contains the email ID, and is used by the third-party application to log the user in. </p>
</div>
<div class="col-sm-12">
<p>Jain discovered in April it was possible to request a JWT for any email ID, and when the signature of the token is verified using Apple’s public key, they are deemed to be valid. In effect, an attacker could create a JWT through this process, and gain access to the victim’s account. </p>
</div>
<div class="col-sm-12">
<p>As Apple mandates the inclusion of Sign in with Apple in apps with other social-based login systems, the attack had a very broad base of apps that it was theoretically effective against. An investigation by Apple’s security team determined the vulnerability has not been used in any attacks. </p>
</div>
<div class="col-sm-12">
<p>Jain responsibly disclosed the flaw to Apple, which led to an award from Apple’s <a href="https://appleinsider.com/articles/19/12/20/apple-ups-security-bug-bounty-payouts-to-1000000">bug bounty program</a> worth $100,000. Apple has since patched the vulnerability, but it isn’t clear exactly how yet.</p>
</div>
</div>
https://www.sickgaming.net/blog/2020/05/...er-100000/
<div style="margin: 5px 5% 10px 5%;"><img src="https://www.sickgaming.net/blog/wp-content/uploads/2020/05/sign-in-with-apple-bug-discovery-earns-developer-100000.jpg" width="870" height="485" title="" alt="" /></div><div><div><img src="https://www.sickgaming.net/blog/wp-content/uploads/2020/05/sign-in-with-apple-bug-discovery-earns-developer-100000.jpg" class="ff-og-image-inserted"></div>
<p>Details of a now-patched vulnerability in the “Sign in with Apple” account authentication have been revealed, a zero-day that could have allowed an attacker to take control of a user’s account. </p>
<div class="col-sm-12">
<p>Launched in 2019, “<a href="https://appleinsider.com/articles/19/11/07/how-to-use-sign-in-with-apple-and-manage-your-log-in-information">Sign in with Apple</a>” is intended to be a more privacy-focused alternative to website and app log-in systems powered by Facebook and Google accounts. By minimizing the amount of a user’s data that is used for authentication and account creation, the API also helped reduce the amount of tracking Facebook and Google performed on users, in turn making it more private. </p>
</div>
<div class="col-sm-12">
<p><a href="https://bhavukjain.com/blog/2020/05/30/zeroday-signin-with-apple/">Disclosed</a> on Saturday by security-focused developer Bhavuk Jain, a zero-day vulnerability in Sign in with Apple had the potential to let an attacker gain access to, and fully take over, a user’s account on a third-party application. According to Jain, the bug would have enabled a change in control of the application’s user account, regardless of whether the user had a valid Apple ID or not. </p>
</div>
<div class="col-sm-12">
<p>The way Sign in with Apple functions is that it relies on either a JSON Web Token (JWT) or a code generated by Apple’s servers, with the latter used to generate a JWT if it doesn’t exist. While authorizing, Apple provides users with options to either share or hide their Apple Email ID with the third-party app, with a user-specific Apple relay email ID created for the latter selection. </p>
</div>
<div class="col-sm-12">
<p>After a successful authorization, Apple produces a JWT, which contains the email ID, and is used by the third-party application to log the user in. </p>
</div>
<div class="col-sm-12">
<p>Jain discovered in April it was possible to request a JWT for any email ID, and when the signature of the token is verified using Apple’s public key, they are deemed to be valid. In effect, an attacker could create a JWT through this process, and gain access to the victim’s account. </p>
</div>
<div class="col-sm-12">
<p>As Apple mandates the inclusion of Sign in with Apple in apps with other social-based login systems, the attack had a very broad base of apps that it was theoretically effective against. An investigation by Apple’s security team determined the vulnerability has not been used in any attacks. </p>
</div>
<div class="col-sm-12">
<p>Jain responsibly disclosed the flaw to Apple, which led to an award from Apple’s <a href="https://appleinsider.com/articles/19/12/20/apple-ups-security-bug-bounty-payouts-to-1000000">bug bounty program</a> worth $100,000. Apple has since patched the vulnerability, but it isn’t clear exactly how yet.</p>
</div>
</div>
https://www.sickgaming.net/blog/2020/05/...er-100000/