Skip to main content

Apple awards hacker $100K for finding a Sign In With Apple vulnerability

A vulnerability inside Sign In With Apple could have potentially allowed hackers to take over your linked, third-party accounts. Discovered by India-based security researcher Bhavuk Jain in April, Apple has since patched the loophole, and in recognition of the discovery, awarded Jain a bug bounty of $100,000.

Sign-in platforms, including the one by Apple, protect user identity by exchanging a token with the third-party service instead of providing a set of private credentials. This token is produced every time you click, in Apple’s case, the Sign-In With Apple button, and lets the third party authenticate you by running it through Apple’s database.

Recommended Videos

The bug that Bhavuk came across affected how Apple’s authentication service confirmed who was requesting that token in a session. While Sign-In With Apple needed a valid Apple account to work, it wasn’t verifying whether that same account was the one requesting a token. Therefore, irrespective of the device’s linked Apple account, Bhavuk was able to retrieve a token for any Apple ID and use that to illicitly take over its connected, third-party account.

Even though the victim’s Apple account wasn’t compromised, since that’s never directly revealed in the process, this loophole could have enabled intruders to log into any of the account’s Sign-In With Apple apps. It’s also worth noting that the bug would have proved detrimental only when the third-party service itself didn’t have any additional privacy protections of its own.

“The impact of this vulnerability was quite critical as it could have allowed full account takeover. A lot of developers have integrated Sign in with Apple since it is mandatory for applications that support other social logins. To name a few that use Sign in with Apple – Dropbox, Spotify, Airbnb, Giphy (Now acquired by Facebook). These applications were not tested but could have been vulnerable to a full account takeover if there weren’t any other security measures in place while verifying a user,” wrote Bhavuk in a blog post.

Apple told Bhavuk, after investigating its internal logs, that “there was no misuse or account compromise due to this vulnerability.”

Launched about a year ago, Apple has centered its sign-in service around the idea of a more private and secure login experience. It has been adopted by a number of developers and companies including Airbnb, Dropbox, Adobe, TikTok, and more. It’s unclear for how long this vulnerability was left in the open and how far-reaching its effects would be on early adopters’ trust in the sign-in service. We’ve reached out to Apple regarding the same and we’ll update the story when we hear back.

Shubham Agarwal
Shubham Agarwal is a freelance technology journalist from Ahmedabad, India. His work has previously appeared in Firstpost…
Hands-on with the Belkin iPhone Mount with MagSafe for Apple TV 4K
The Belkin iPhone Mount with MagSafe for Apple TV 4K.

The Belkin iPhone Mount with MagSafe for Apple TV 4K perched atop an extremely thin OLED television. Phil Nickinson / Digital Trends

The Belkin iPhone Mount with MagSafe for Apple TV 4K is one mouthful of an official name. What it does is much more simple. It is a mount for your iPhone to be used with an Apple TV 4K. And it has MagSafe to keep the phone in place. That's it.

Read more
Apple Music just got a cool feature you won’t find on Spotify
Apple Music Replay screenshots via Apple.

The Apple Music Replay feature gives you a rundown of which songs and albums you've listened to on the service every year. But now, it's getting a makeover that will make it more handy. Rundowns are being offered every month, allowing you to see your favorite tunes during the past 30-plus days — as well as how often you've listened to those titles.

The new monthly Apple Music Replay feature is only available through the web on the Apple Music Replay website, which is unfortunate, but unsurprising. The annual Apple Music Replay launches every December and is also a web-only feature.

Read more
This major Apple bug could let hackers steal your photos and wipe your device
A physical lock placed on a keyboard to represent a locked keyboard.

Apple’s macOS and iOS are often considered to be more secure than their rivals, but that doesn’t make them invulnerable. One security team recently proved that by showing how hackers could exploit Apple’s systems to access your messages, location data, and photos -- and even wipe your device entirely.

The discoveries were published on the blog of security research firm Trellix, and will be of major concern to iOS and macOS users alike, since the vulnerabilities can be exploited on both operating systems. Trellix explains that Apple patched the exploits in macOS 13.2 and iOS 16.3, which were released in January 2023, so you should update your devices as soon as you can.

Read more