A bug in the Sign In with Apple feature – a tool that allows users to log into third-party apps without using their email address – has been discovered by an app developer and fixed by Apple.
“In the month of April, I found a zero-day in Sign In with Apple that affected third-party applications which were using it and didn’t implement their own additional security measures,” said developer Bhavuk Jain in a blog post.
“This bug could have resulted in a full account takeover of user accounts on that third party application irrespective of a victim having a valid Apple ID or not.”
How Sign In with Apple works
Jain explained that the Sign In with Apple feature allows two ways to authenticate a user – either by using a JSON Web Token (JWT) or a code generated by the Apple server (which is then used to generate a JWT).
In the next step, Jain explained, Apple allows the user to choose whether they would like to share their Apple Email ID with the third-party app.
If the user decides to hide their Email ID, Apple creates a user-specific Apple relay Email ID.
This Apple relay Email ID will then be used 6to log the user in.
How the bug worked
“I found I could request JWTs for any Email ID from Apple and when the signature of these tokens was verified using Apple’s public key, they showed as valid,” said Jain.
This meant that attackers could forge a JWT by linking any Email ID to it, which allowed the attacker access to the victim’s account.
Jain said that the impact of this vulnerability was critical, as it could have allowed the attacker to fully take over the victim’s account and data.
Given that Sign In with Apple is mandatory for apps that support other social login options, and is used by the likes of Dropbox, Spotify, and Airbnb, the possible scope of this flaw could have been extensive.
“These applications were not tested but could have been vulnerable to a full account takeover if there weren’t any other security measures in place while verifying a user,” added Jain.
Jain said that Apple determined that there had been no misuses or account compromises as a result of this vulnerability.