Skip to main content

Apple awards hacker $100K for finding a Sign In With Apple vulnerability

A vulnerability inside Sign In With Apple could have potentially allowed hackers to take over your linked, third-party accounts. Discovered by India-based security researcher Bhavuk Jain in April, Apple has since patched the loophole, and in recognition of the discovery, awarded Jain a bug bounty of $100,000.

Sign-in platforms, including the one by Apple, protect user identity by exchanging a token with the third-party service instead of providing a set of private credentials. This token is produced every time you click, in Apple’s case, the Sign-In With Apple button, and lets the third party authenticate you by running it through Apple’s database.

The bug that Bhavuk came across affected how Apple’s authentication service confirmed who was requesting that token in a session. While Sign-In With Apple needed a valid Apple account to work, it wasn’t verifying whether that same account was the one requesting a token. Therefore, irrespective of the device’s linked Apple account, Bhavuk was able to retrieve a token for any Apple ID and use that to illicitly take over its connected, third-party account.

Even though the victim’s Apple account wasn’t compromised, since that’s never directly revealed in the process, this loophole could have enabled intruders to log into any of the account’s Sign-In With Apple apps. It’s also worth noting that the bug would have proved detrimental only when the third-party service itself didn’t have any additional privacy protections of its own.

“The impact of this vulnerability was quite critical as it could have allowed full account takeover. A lot of developers have integrated Sign in with Apple since it is mandatory for applications that support other social logins. To name a few that use Sign in with Apple – Dropbox, Spotify, Airbnb, Giphy (Now acquired by Facebook). These applications were not tested but could have been vulnerable to a full account takeover if there weren’t any other security measures in place while verifying a user,” wrote Bhavuk in a blog post.

Apple told Bhavuk, after investigating its internal logs, that “there was no misuse or account compromise due to this vulnerability.”

Launched about a year ago, Apple has centered its sign-in service around the idea of a more private and secure login experience. It has been adopted by a number of developers and companies including Airbnb, Dropbox, Adobe, TikTok, and more. It’s unclear for how long this vulnerability was left in the open and how far-reaching its effects would be on early adopters’ trust in the sign-in service. We’ve reached out to Apple regarding the same and we’ll update the story when we hear back.

Editors' Recommendations

Shubham Agarwal
Shubham Agarwal is a freelance technology journalist from Ahmedabad, India. His work has previously appeared in Firstpost…
Forget AirTags. This backpack has Apple’s ‘Find My’ tech built directly into it
Targus backpack with Apple Find My support

Computer accessory maker Targus wants to make misplacing your backpack a thing of the past. At CES 2022 the company introduced a new backpack you can track with your iPhone -- and the best part is you don’t need Apple’s AirTag for it.

The Targus Cypress Hero EcoSmart Backpack comes in-built with the technology behind Apple’s puck-sized tracker. This means you can pull up the Find My app on an iPhone, iPad, Mac, and/or Apple Watch and instantly trace down the backpack’s whereabouts. It houses a tracking module that constantly beams the backpack’s location and, thanks to a rechargeable battery, lasts over a year in one go.

Read more
U.K. agency says Apple and Google are stifling user choice in their app stores
App store icon showing three notifications.

Apple and Google's mobile platforms have faced a maelstrom of criticism regarding their respective app store and operating system rules, and the U.K.'s Competition and Market Authority (CMA) is adding to that cacophony of voices. After the result of a probe this year, the CMA concluded that the mobile duopoly is leading to "less competition and meaningful choice" for customers.

The CMA highlighted a few incidents of concern. Apple famously not allowing Microsoft's xCloud game streaming app into the App Store merited a mention, as did Google's deals with smartphone makers to include Chrome and other Google apps in exchange for access to the Google Play Store and Google Play Services.

Read more
Apple yields to demands to make iPhone 13 display repairs easier
The iPhone 13 Pro's lock screen.

When Apple launched the iPhone 13 in September, it soon became apparent that display replacements performed by anyone other than Apple or an authorized service would disable Face ID, leaving owners with the message: "Unable to activate Face ID on this ‌iPhone‌."

This was bad news for anyone who'd just bought an iPhone 13 and needed a new display but had no idea Face ID would stop working if they took the device to a third-party repair shop. The shops, too, were none too pleased as they quickly realized they could no longer replace iPhone 13 displays, cutting off an important revenue source.

Read more