Indian techie flags vulnerability in Apple's sign-in system, wins $100,000
Bhavuk Jain, a techie hailing from Delhi, has bagged $100,000 (Rs. 75.50 lakh) bug bounty from Apple. Jain had flagged a critical security flaw in the Cupertino giant's 'Sign in with Apple' system, an issue that, he says, could have allowed hackers to take full control of accounts on third-party apps and services. Here is all you need to know about it.
First, a quick recap of 'Sign in with Apple'
Back in June 2019, Apple debuted 'Sign in with Apple' as a 'more private' alternative for Facebook, Google's quick social login options. The feature authenticated users via their Apple ID email and also provided an option to create a dummy email. Naturally, people liked the idea of signing in via Apple and not giving away their data to Google and Facebook.
So, what went wrong?
Months later in 2020, Jain found that if a third-party app did not have its own security measures, an attacker could forge the authentication token linked to any Apple ID email and verify it as 'valid' using the company's public key. This, he discovered, opened access to the target's account on the app in question, even in cases when a dummy email was used.
Issue fixed through server-side changes
Following the discovery, Jain reported the issue to Apple and the company pushed a server-side update to patch it up. The researcher claims that the Cupertino giant conducted an internal investigation of the issue and determined that the flaw was not exploited to compromise any account on any app/website. After releasing the fix, Apple paid him the hefty bug bounty.
Apple should have detected the flaw sooner
Though the problem has been mitigated, many are wondering how Apple missed this in the first place. When you push a 'private' sign-in tool, detecting and addressing critical security issues is the most basic expectation of users. The company has not commented on the matter, but we hope it will take some measures to cut down on such vulnerabilities in the future.