Skip to main content

Apple awards hacker $100K for finding a Sign In With Apple vulnerability

A vulnerability inside Sign In With Apple could have potentially allowed hackers to take over your linked, third-party accounts. Discovered by India-based security researcher Bhavuk Jain in April, Apple has since patched the loophole, and in recognition of the discovery, awarded Jain a bug bounty of $100,000.

Sign-in platforms, including the one by Apple, protect user identity by exchanging a token with the third-party service instead of providing a set of private credentials. This token is produced every time you click, in Apple’s case, the Sign-In With Apple button, and lets the third party authenticate you by running it through Apple’s database.

The bug that Bhavuk came across affected how Apple’s authentication service confirmed who was requesting that token in a session. While Sign-In With Apple needed a valid Apple account to work, it wasn’t verifying whether that same account was the one requesting a token. Therefore, irrespective of the device’s linked Apple account, Bhavuk was able to retrieve a token for any Apple ID and use that to illicitly take over its connected, third-party account.

Even though the victim’s Apple account wasn’t compromised, since that’s never directly revealed in the process, this loophole could have enabled intruders to log into any of the account’s Sign-In With Apple apps. It’s also worth noting that the bug would have proved detrimental only when the third-party service itself didn’t have any additional privacy protections of its own.

“The impact of this vulnerability was quite critical as it could have allowed full account takeover. A lot of developers have integrated Sign in with Apple since it is mandatory for applications that support other social logins. To name a few that use Sign in with Apple – Dropbox, Spotify, Airbnb, Giphy (Now acquired by Facebook). These applications were not tested but could have been vulnerable to a full account takeover if there weren’t any other security measures in place while verifying a user,” wrote Bhavuk in a blog post.

Apple told Bhavuk, after investigating its internal logs, that “there was no misuse or account compromise due to this vulnerability.”

Launched about a year ago, Apple has centered its sign-in service around the idea of a more private and secure login experience. It has been adopted by a number of developers and companies including Airbnb, Dropbox, Adobe, TikTok, and more. It’s unclear for how long this vulnerability was left in the open and how far-reaching its effects would be on early adopters’ trust in the sign-in service. We’ve reached out to Apple regarding the same and we’ll update the story when we hear back.

Shubham Agarwal
Former Digital Trends Contributor
Shubham Agarwal is a freelance technology journalist from Ahmedabad, India. His work has previously appeared in Firstpost…
Does the Apple iPad (2022) have Face ID?
The front of the iPad 10th Gen.

The release of the iPad (2022) marks the first time we've seen a unified design across Apple's complete tablet lineup in four years. The 2022 model of the entry-level iPad gains the nearly bezel-free design of its more expensive siblings and also marks the next big step in the ultimate death of Apple's Lightning port by bringing USB-C to the entire iPad family.

While the iPad was known for nearly eight years for its iconic design that featured wide bezels and a front-and-center home button, Apple changed the game when it released a new pair of iPad Pro models in the fall of 2018. Following at least partly in the footsteps of the 2017 iPhone X, the new iPad Pro lineup adopted an edge-to-edge screen design, eliminating the home button and adopting Face ID authentication. Although the bezels shrank dramatically over prior iPad models, the larger size of Apple's tablets allowed the company to leave enough room for the True Depth camera system needed to drive Face ID without resorting to a notched screen.

Read more
Touch ID might soon come to an Apple device you least expect
apple watch touch id fingerprint sensor patent smartwatch ipad

If you’ve ever wished for some sort of biometric authentication system on the Apple Watch, you’re not alone. Apple engineers, too, are imagining ways to put the Touch ID fingerprint sensor on the Apple Watch. At least according to a patent application, that is.

Titled “Electronic device having sealed button biometric sensing system,” the patent application filed by Apple describes methods of fitting a fingerprint sensor inside a smartwatch. Aside from discussing the technical aspects and various ways it can come to life, the application describes some of the use case scenarios, as well.

Read more
Apple hikes Apple Music price for students in U.S., Canada, and U.K.
A young man wearing headphones.

Apple has increased the monthly fee for U.S.-based students using Apple Music.

Spotted by AppleInsider, the price hike means students in the U.S. will now be charged $5.99 a month for the streaming service, marking a $1 increase.

Read more