In April, security researcher Bhavuk Jain discovered a zero-day vulnerability in Sign in with Apple that affected third-party applications using the feature without implementing their own security measures.
According to the researcher, the Apple zero-day “could have resulted in a full account takeover of user accounts on that third party application irrespective of a victim having a valid Apple ID or not.”
The vulnerability, which has already been patched, brought Jain a reward of $100,000 by Apple under their Apple Security Bounty program.
Sign in with Apple Zero-Day Bug
The Sign in with Apple feature was introduced in 2019, and is meant to deliver a more private alternative to website and app login systems enabled by Facebook and Google accounts. Apple minimized the amount of user data needed for authentication and account creation, thus making an API that also reduced the amount of Facebook and Google tracking. However, it turns out that the privacy-focused Sign in with Apple contains a zero-day, discovered by security researcher Bhavuk Jain.
The vulnerability could enable an attacker to gain access to and fully take over a user’s account on a third-party app. The zero-day could have been exploited to change the control of the app’s user account. Furthermore, whether the user had a valid Apple ID or not didn’t matter for the bug to be exploited.
How does Sign in with Apple work? The feature relies on either a JSON Web Token (shortly JWT) or a code generated by Apple’s servers. Apple’s servers come into play in case a JWT is not available. Apple also enables users to share or hide their Apple Email ID with the given third-party app. Once a successful authorization has occurred, Apple generates a JWT containing the email ID. The latter is utilized by the third-party app to log the user in.
Jain found out that it was possible to request a JWT for any email ID:
I found I could request JWTs for any Email ID from Apple and when the signature of these tokens was verified using Apple’s public key, they showed as valid. This means an attacker could forge a JWT by linking any Email ID to it and gaining access to the victim’s account.
The impact of this bug was “quite critical” as it could have enabled full account takeover, the researcher added. Furthermore, many developers have integrated Sign in with Apple, because it is mandatory for applications that support other social logins.
Apps that use Sign in with Apple include widely-adopted names such as Dropbox, Spotify, Airbnb, Giphy (which was acquired by Facebook). “These applications were not tested but could have been vulnerable to a full account takeover if there weren’t any other security measures in place while verifying a user,” Jain said in his report.
Apple carried out their own investigation of their logs to determine there was no misuse or account compromise caused by this zero-day vulnerability.