Skip to main content

Apple awards hacker $100K for finding a Sign In With Apple vulnerability

A vulnerability inside Sign In With Apple could have potentially allowed hackers to take over your linked, third-party accounts. Discovered by India-based security researcher Bhavuk Jain in April, Apple has since patched the loophole, and in recognition of the discovery, awarded Jain a bug bounty of $100,000.

Sign-in platforms, including the one by Apple, protect user identity by exchanging a token with the third-party service instead of providing a set of private credentials. This token is produced every time you click, in Apple’s case, the Sign-In With Apple button, and lets the third party authenticate you by running it through Apple’s database.

The bug that Bhavuk came across affected how Apple’s authentication service confirmed who was requesting that token in a session. While Sign-In With Apple needed a valid Apple account to work, it wasn’t verifying whether that same account was the one requesting a token. Therefore, irrespective of the device’s linked Apple account, Bhavuk was able to retrieve a token for any Apple ID and use that to illicitly take over its connected, third-party account.

Even though the victim’s Apple account wasn’t compromised, since that’s never directly revealed in the process, this loophole could have enabled intruders to log into any of the account’s Sign-In With Apple apps. It’s also worth noting that the bug would have proved detrimental only when the third-party service itself didn’t have any additional privacy protections of its own.

“The impact of this vulnerability was quite critical as it could have allowed full account takeover. A lot of developers have integrated Sign in with Apple since it is mandatory for applications that support other social logins. To name a few that use Sign in with Apple – Dropbox, Spotify, Airbnb, Giphy (Now acquired by Facebook). These applications were not tested but could have been vulnerable to a full account takeover if there weren’t any other security measures in place while verifying a user,” wrote Bhavuk in a blog post.

Apple told Bhavuk, after investigating its internal logs, that “there was no misuse or account compromise due to this vulnerability.”

Launched about a year ago, Apple has centered its sign-in service around the idea of a more private and secure login experience. It has been adopted by a number of developers and companies including Airbnb, Dropbox, Adobe, TikTok, and more. It’s unclear for how long this vulnerability was left in the open and how far-reaching its effects would be on early adopters’ trust in the sign-in service. We’ve reached out to Apple regarding the same and we’ll update the story when we hear back.

Editors' Recommendations

Shubham Agarwal
Shubham Agarwal is a freelance technology journalist from Ahmedabad, India. His work has previously appeared in Firstpost…
U.K. launches investigation into Apple’s cloud gaming restrictions
Apple arcade games on stage | Apple September 2019 Event Keynote

The United Kingdom's Competition and Markets Authority (CMA) is planning to launch an investigation into Apple's restrictions on cloud gaming. The government agency announced in a press release that it is in the consultation phase of the investigation following a year-long market study into Apple, as well as its rival Google.

The study found that the tech giants had a duopoly over the mobile market that severely restricted competition by third-party developers and deprived them of incentives. In the case of Apple, it's looking into its restrictions on cloud gaming services on the App Store after hearing complaints from U.K. developers who say that such restrictions make it difficult for them to compete in the market, not to mention deprive users who prefer accessing a wide variety of games through cloud gaming that they cannot find in the App Store.

Read more
Apple paid a student $100,000 for successfully hacking a Mac

Hackers typically have a bad reputation, but without them, many security issues would remain undetected. This was proven by Ryan Pickren, a cybersecurity Ph.D. student at the Georgia Institute of Technology.

Pickren found a dangerous vulnerability on Apple Mac devices that granted unauthorized camera access. He reported it to Apple, and for his contribution, he was paid a record-setting $100,500 bounty.

Read more
Forget AirTags. This backpack has Apple’s ‘Find My’ tech built directly into it
Targus backpack with Apple Find My support

Computer accessory maker Targus wants to make misplacing your backpack a thing of the past. At CES 2022 the company introduced a new backpack you can track with your iPhone -- and the best part is you don’t need Apple’s AirTag for it.

The Targus Cypress Hero EcoSmart Backpack comes in-built with the technology behind Apple’s puck-sized tracker. This means you can pull up the Find My app on an iPhone, iPad, Mac, and/or Apple Watch and instantly trace down the backpack’s whereabouts. It houses a tracking module that constantly beams the backpack’s location and, thanks to a rechargeable battery, lasts over a year in one go.

Read more