You rarely find a bug in an Apple device. So, what may surprise a lot of Apple users is that a full-stack developer from India not only found a critical flaw in “Sign in with Apple” account authentication but also ended up winning Rs 75 lakh from the tech giant. Bhauvik Jain, the 27-year-old developer, claimed in a blog post that he had reported this flaw in April. The bug could have potentially allowed hackers to fully take over any account linked to it. 

COMMERCIAL BREAK
SCROLL TO CONTINUE READING

The flaw was made public on Saturday and Apple has since fixed the issue, and paid Bhauvik $100,000 (nearly 75 lakh Rupees) as part of the Apple Security Bounty program. The tech giant had announced Sign in with Apple in 2019 to allow users (with an Apple ID) to simply and quickly sign into third-party apps and websites.

The feature was claimed to be more secure than other options like Google and Facebook. Apple claimed that while other methods could be used to collect users’ personal data but the same can’t be done with Apple Sign in. 

However, Bhauvik claims that the whole system was marred by a zero day vulnerability that could have allowed anybody with your email address and the technical know-how to spoof the Apple ID servers and gain access to all your online accounts. 

WATCH Zee Business TV LIVE Streaming Online

“The Sign in with Apple works similarly to OAuth 2.0. I found I could request JWTs (JSON Web Tokens) for any Email ID from Apple and when the signature of these tokens was verified using Apple’s public key, they showed as valid,” Jain said. 

“This means an attacker could forge a JWT by linking any Email ID to it and gaining access to the victim’s account.”

Apple has made Sign in with Apple “mandatory” for all all applications that support other social logins. Dropbox and Spotify are two examples. 

“The impact of this vulnerability was quite critical as it could have allowed full account takeover,” Jain said.

Apple is yet to release an official statement on the flaw.