An Indian hacker/security researcher name Bhavuk Jain has earned $100,000 (around Rs.75.3 lakh) from Apple for finding and reporting a bug in the “Sign in with Apple account authentication”. It was one of the major zero-day exploit submitted to Apple in recent years.
The zero-day vulnerability could have allowed hackers to take over the Apple user’s account with which they log into 3rd party apps like Spotify, Dropbox, and many more.
About Apple’s Bug
Bhavuk holds a Bachelors Tech degree in electronics and communication, discovered the bug in ‘Sign in with Apple’ that could affect 3rd party apps which were using it and were dependent upon their security measures instead of implementing their own.
Jain on Saturday,30th May said in a statement that “This bug could have resulted in a full account takeover of user accounts on that third party application irrespective of a victim having a valid Apple ID or not”.
“For this vulnerability, I was paid $100,000 by Apple under their Apple Security Bounty program,” he announced.
Bhavuk Jain is a full-stack developer who is more interested in mobile application development using React Native technology. But he invests most of his time in bug bounty hunting and hence is a full-time bug bounty hunter and trying his best to make the internet a safer place for everybody uses it.
He disclosed the flaw to Apple which led to an award from Apple’s bug bounty program. Apple has patched the bug.
According to Jain, the ‘Sign in with Apple’ works similarly to ‘OAuth 2.0’.
“There are two possible ways to authenticate a user by either using a JWT (JSON Web Token) or a code generated by the Apple server. The code is then used to generate a JWT,” he explained.
In the 2nd step, while authorizing, Apple gives an option to a user to either share the Apple Email ID with the 3rd party app or not. If the user decides to hide the Email ID, Apple generates its own user-specific Apple relay Email ID. Depending upon the user selection, after successful authorization, Apple creates a JWT which contains this Email ID which is then used by the 3rd party app to login a user.
He found that he could request JWTs for any Email ID from Apple and when the signature of these tokens was verified using Apple’s public key, they showed as valid. This means an attacker could forge a JWT by linking any Email ID to it and gaining access to the victim’s account.
In an official statement, he also said, “The impact of this vulnerability was quite critical as it could have allowed full account takeover. A lot of developers have integrated since it is mandatory for applications that support other social logins. To name a few that use
Sign in with Apple – Dropbox, Spotify, Airbnb, Giphy (Now acquired by Facebook). These applications were not tested but could have been vulnerable to a full account takeover if there weren’t any other security measures in place while verifying a user.“
You can click here for technical info and script behind the bug
Mårten Mickos, CEO of HackerOne and MySQL also tweeted and appreciated him for this bug disclosure and conveying a message that there are still some good people in the world which are all-time learning and fixing issues and bugs for others to make the internet a safer place to spend time and learn something from.
Apple did an investigation over the bug and they found that no accounts were misused till yet due to it and awarded him with that much amount and hall of fame for which he was very thankful.