A security vulnerability in Apple's login system “Sign in with Apple" could have allowed the take over of accounts with services such as Dropbox, Spotify, Airbnb and Giphy.
In the past you have probably registered for a shop or web-service using "Sign in with Google" and "Sign in with Apple”. Doing so saves you filling out registration forms and means you don’t have to share your email address with a third-party if you don’t want to. Apple’s "Sign in with Apple” service was only introduced in 2019 and Apple made a big deal about the security of using the service. Unfortunately it appears that there was a security flaw that could have allowed the take over of your account by someone who knew your email address.
The zero-day bug was discovered by developer Bhavuk Jain in April 2020 and he shared the details with Apple, who has now fixed the security flaw. Jain received a bonus payment from Apple of $100,000 as part of Apple's Security Bounty programme.
Now that Apple has fixed the flaw Jain has revealed the details in his blog here. He said the bug could have resulted in the takeover of user accounts on a third party application if that third-party didn’t implement their own additional security measures, such as two factor authentication (2FA).
Apparently an error in the communication with Apple's servers made it possible for an attacker to gain access to a third-party account if they knew their target’s email address.
When using "Sign in with Apple" a user can decide whether or not to send their email address to the third party provider (eg Airbnb). If they decide to withhold the email address a request is instead made to an Apple server, which answers either with a so-called JSON Web Token (JWT) or a code generated by the server. After that, access to the service or an app is possible.
Jain found that he could request a JWT from Apple for every valid email ID. This means if a user knows the email address of his victim he could have access to their account with the third party if the account is not protected by additional protective measures.
According to the developer, Apple has checked whether this vulnerability has been exploited and it hasn’t been.
If you want to use Sign In With Apple here's what to do.
This article originally appeared on Macwelt. Translation by Karen Haslam.