Bhavuk Jain, a 27-year-old Indian developer, and programmer found a critical security bug in ‘Sign in with Apple’ feature unveiled last year on June 3, 2019, at Apple’s 2019 Worldwide Developers Conference (WWDC).
In his blog, he wrote that for discovering this vulnerability, he was paid $100,000 by Apple under their Apple Security Bounty program. As a part of Apple’s dedication and responsibility for ensuring the cybersecurity of its users, Apple rewards technicians who find a critical loophole in the security system and techniques by which hackers can exploit them.
Almost all big technology companies run bug hunting bounty programs which offer a huge sum of money as a reward to researchers who find security flaws in the operation of various features and services launched by them
What is ‘Sign in with Apple’?
Sign in with Apple is a single sign-in provider launched by Apple Inc. to allow users to create accounts for third-party services like Spotify and Dropbox by providing a little amount of personal information. In other words, your Apple ID is the account you can use to enjoy various Apple services smoothly and efficiently.
Bhavuk Jain in his blog wrote:
“The Sign in with Apple works similarly to OAuth 2.0. There are two possible ways to authenticate a user by either using a JWT (JSON Web Token) or a code generated by the Apple server. The code is then used to generate a JWT. The below diagram represents how the JWT creation and validation works.”
He further added that:
“In the 2nd step, while authorizing, Apple gives an option to a user to either share the Apple Email ID with the 3rd party app or not. If the user decides to hide the Email ID, Apple generates its own user-specific Apple relay Email ID. Depending upon the user selection, after successful authorization, Apple creates a JWT which contains this Email ID which is then used by the 3rd party app to log in a user.”
Day Zero in Sign in with Apple
Day Zero also called a Zero-day attack is a potentially critical software security deficiency that is unknown to the software developer. It includes malware, adware, spyware, or illicit access to user information. It is named after the number of days the software developer knows about the flaw.
Jain explained the security bug present in this Apple feature in the following words, “I found I could request JWTs for any Email ID from Apple and when the signature of these tokens was verified using Apple’s public key, they showed as valid. This means an attacker could forge a JWT by linking any Email ID to it and gaining access to the victim’s account.”
This issue is serious as it may lead to a complete takeover of the account by the hacker. This issue now stands resolved. He further added that Apple Security Team also did an investigation of their logs and found that there was no abuse or compromise to the security of users due to this vulnerability.
It is no new thing for Indians as they master in finding critical bugs in services and applications launched by big international technology companies and have been rewarded by companies like Facebook and Google under their bounty programs in the past as well.
This shows the growing prowess of Indians in technology and research development.
Image Credits: Google Images
Find the blogger: @lisa_tay_ari
This post is tagged under: Apple bugs, bug hunting bounty, Apple. Facebook, hackers, hacking, find a loophole, find a bug, security lapse, safety bug, safety issue, data of users, sign in with apple, bhavuk jain, apple bug found by INdian techie, INdian software engineer, Indian programmer