A zero day vulnerability was detected in Apple’s “sign in with Apple” account authentication in April by an Indian security programmer Bhavuk Jain who claims to have been paid $100,000 (around ₹75 lakh) by the company under their Security Bounty programme by Apple.
The vulnerability is believed to affect third-party apps using Apple’s authentication but didn’t deploy any additional security measures of their own. If exploited, it could have allowed attackers to take full control over user accounts on third-party apps.
In the first step, users start by sending an authentication request to Apple authentication server, which grants authorisation by exchanging JWT with users request. The JWT is then sent to the third party app for verification purpose. The third party app then sends the JWT to Apple’s authentication server using Apple’s public key for verificatiion. After the verification by Apple, users are allowed to log-in into the app using JWT.
In case of the second process where a code is generated by Apple server, it provides users the choice to share their Apple email ID with the third-party app or not. If they don’t want to share their Apple ID with developers, Apple generates its own user-specific Apple relay email ID. Whichever way users choose to do this, once authorisation is completed, Apple creates a JWT which contains the email ID which is then used by the app to let users login.
Many developers have integrated ‘sign in with Apple’ for their apps just like other social logins as Apple had made it mandatory for apps that support third party sign-ins. Introduced in 2019, the Apple authentication allows users to sign into their apps and websites using their Apple ID and Face Id.
Unlike other third party sign-ins, Apple’s authentication allowed users the option to not share their email address with third party apps and generated a random email ID for them. This was meant to strengthen user privacy and make them feel less exposed.
In 2018, Facebook had to revoke access tokens for around 90 million users after it was found that attackers were harvesting access tokens by exploiting bugs in Facebook’s codes that were introduced after a video uploader was added to the social network in 2017.