Apple account takeover bug nets researcher US$100,000 – Security
Apple appears to have dodged a significant bullet immediately after researcher identified a gaping gap in its indicator-in authentication procedure that allowed comprehensive account takeover in 3rd-bash apps, and possibly companies these kinds of as iCloud as very well.
In April this calendar year, Delhi-based mostly bug bounty hunter Bhavuk Jain found that the Signal in with Apple procedure could quickly be tricked into handing over Javascript Object Notation (JSON) authentication tokens for any users’ e-mail addresses.
Apple’s stability staff confirmed the bug in the OAUTH type indicator in procedure, and paid out Jain a US$a hundred,000 bounty for discovering it.
Signal in with Apple is necessary for 3rd-bash apps these kinds of as Dropbox, Spotify, and AirBnB that use other social logins like Facebook and Google, and presents end users the selection of lessening the total of details they have to hand over.
Customers can both provide their Apple ID e-mail tackle to 3rd bash apps, or hide it.
In the latter case, Signal in with Apple creates a 1-off Apple ID e-mail tackle for the user, and the server creates a signed JWT that is verified with general public crucial cryptography.
Jain claimed the bug in the indicator-in server-facet authentication code was “very vital” as it could have allowed comprehensive account takeover for companies that use Signal in with Apple.
“I found I could request JWTs for any E-mail ID from Apple, and when the signture of these tokes was verified utilizing Apple’s general public crucial, the confirmed as valid.
This indicates an attacker could forge a JWT by linking any E-mail ID to it, and get accessibility to the victim’s account,” Jain wrote.
Apple advised Jain that their investigation of logs confirmed no misuse or account compromises from the vulnerability.
Other developers speculated that the bug could have been made use of to accessibility Apple companies as very well, as the company’s stability bounty payouts website page lists an award of US$a hundred,000 for “wide, unauthorised command of an iCloud account”, the only classification that matches Jain’s report.