Apple has reportedly paid a $100,000 (around Rs 75 lakh) to an Indian developer, Bhavuk Jain for finding a critical bug in the 'Sign in with Apple' process. 27-year-old developer discovered a "Zero Day" bug in the 'Sign in with Apple' process that could have allowed hackers to take over user's account on the third-party application.
Jain in a blog post said, " What if I say, your Email ID is all I need to take over your account on your favorite website or an app. Sounds scary, right? This is what a bug in 'Sign in with Apple' allowed me to do.
"In the month of April, I found a zero-day in 'Sign in with Apple' that affected third-party applications which were using it and didn’t implement their own additional security measures. This bug could have resulted in a full account takeover of user accounts on that third party application irrespective of a victim having a valid Apple ID or not," he added.
Last year in June, 'Sign in with Apple' was introduced. It allows users to set up a user account to sign in to third party apps with their Apple ID without having to use their email address. This is done by generating a JSON Web Token or JWT, which contains the information required by the third-party application to confirm the identity of the user while preserving user privacy. However, the Zero Day bug exposed the user accounts to attacks.
Also Read: 'Remove China Apps' crosses 5 million downloads, becomes No.1 top free apps on Google Play Store
Jain explained in his blog post that there was no validation to check if the same user who generated the JWT is requesting the JWT to login to the third-party account. Hackers could have exploited the vulnerability by faking a JWT. Since a lot of developers have integrated ‘Sign in with Apple’, this vulnerability could have proved quite critical.
In his blog post, Jain also said that for this vulnerability, he was paid $100,000 by Apple under their Apple Security Bounty program, the issue has been resolved. Jain added that Apple did an investigation of their logs to determine there was no misuse or account compromised due to this vulnerability.
Visit Bhavuk Jain's blog post: Zero-day in Sign in with Apple