Sign in with Apple – a privacy enhancement tool that lets users log in to third-party apps without revealing their email addresses – just fixed an error that allowed attackers to gain unauthorized access to the same accounts.
“In April, I found a zero day in Log in with Apple that affected third-party applications using it and did not implement their own additional security measures,”
Jain privately reported the shortage to Apple during the company’s bounty program and received a hefty payment of $ 100,000. The developer shared details after Apple updated the login service to correct the vulnerability.
Logging in with Apple debuted in October as an easier and more secure and private way to log in to apps and websites. Faced with a mandate that many third-party iOS and iPadOS apps offer the opportunity to sign in with Apple, a host of high-profile services adopted huge numbers of sensitive user data.
Instead of using a social media account or email address, filling in web forms and choosing an account-specific password, iPhone and iPad users can tap a button and log in with Face ID, Touch ID or a device password. The bug opened users to the possibility that their third-party accounts would be completely hijacked.
The login service, which works in the same way as the OAuth 2.0 standard, logs in users using either a JWT abbreviation for the JSON Web Token – or a code generated by an Apple server. In the latter case, the code is then used to generate a JWT. Apple allows users to share Apple email IDs with third parties or to keep the ID hidden. When users hide ID, Apple creates a JWT that contains a user-specific relay ID.
“I thought I could request JWTs for all Apple email IDs and when the signature on these tokens was verified with Apple’s public key, they turned out to be valid,” Jain wrote. “This means that an attacker can fake a JWT by linking all email IDs to it and accessing the victim’s account.”
There is no indication that the error was ever actively exploited.