Last month researcher Bhavuk Jain discovered a bug while sighing in third party apps using Sign-in with Apple. This bug if not discovered could have taken over several Apple user accounts. The vulnerability occurred with only those third-party apps that did not use any extra security measures.
According to Jain, Sign in With Apple authenticates a user through a code that is generated by Apple’s server or through a JSON Web Token. Once authenticated, Apple gives the option to the users to share their private email or the one that is tied with their Apple ID. This email ID creates the JWT that is then used to log in.
Later Jain discovered that once the tokens for both email addresses were requested and Apple’s pubic key verified the token’s signature it “showed as valid.” If the bug was not discovered it could create a JWT and gain access to the user’s account.
In an interview, Jain said that the impact of the bug was severe as it could allow a total takeover of the user’s account.
Apple rewarded Jain $100,000 for reporting the bug. Apple also conducted the investigation and it was discovered that no accounts were compromised before solving this issue by patching the bug.
