Now Patched 'Sign in With Apple' Bug Left Users Open to Attack

MacRumors

macrumors bot
Original poster
Apr 12, 2001
48,667
10,094


Researcher Bhavuk Jain in April discovered a critical Sign in With Apple vulnerability that could have resulted in a takeover of some user accounts. The bug was specific to third party apps that used Sign in With Apple and didn't implement additional security measures.


Jain notes that Sign in With Apple works by authenticating a user through a JWT (JSON Web Token) or a code that's generated by Apple's server. Apple then gives users the option to share either the email tied to their Apple ID or a private relay email address,which creates a JWT that's used to log in a user.

Jain then discovered that once JWTs for both Apple ID emails and private relay email addresses were requested and the token's signature was verified using Apple's public key, it "showed as valid." Should the bug have not been discovered, a JWT could be created and used to gain access to one's account.

In an interview with The Hacker News, Jain spoke about the severity of the bug:
The impact of the this vulnerability was quite critical as it could have allowed a full account takeover. Many developers have integrated Sign in with Apple since it is mandatory for applications that support other social logins. To name a few that use Sign in with Apple - Dropbox, Spotify, Airbnb, Giphy (now acquired by Facebook).
According to Jain, Apple conducted an investigation and concluded that no accounts were compromised using this method before the vulnerability was patched. Jain was paid $100,000 by Apple under its Apple Security Bounty Program for reporting the bug.

Article Link: Now Patched 'Sign in With Apple' Bug Left Users Open to Attack
 
Last edited:
  • Wow
  • Like
Reactions: DeepIn2U and jfim88

justperry

macrumors G4
Aug 10, 2007
10,604
6,096
I'm a rolling stone.
$100.000 comes in handy, could buy myself 2 X completely loaded (well almost) Mac Pro's.
Or half an appartement.
Actually, now I think of it, 4 X fully loaded Mac Pro's buys me a nice appartement...WTF.

As for the Researcher, well done, you deserve it.



Unrelated, is there a problem with MR forums, see screenshot below.


Screen Shot 2020-05-30 at 22.21.27.png
 
  • Like
Reactions: Marekul and Populus

Populus

macrumors 65816
Aug 24, 2012
1,211
1,071
Valencia, Spain.
Well deserved reward, this could have been a big security flaw.
I’m starting to use Sign in with Apple because I think is one of the best ideas Apple has had lately.

Why I waited until now? Because the devs have been pretty slow to adopt it... and I’m not sure all devs will implement this, such as Instagram or Tinder. We’ll see, June is the deadline to implement Sign in with Apple on the apps it is mandatory.
___________________________________________________

Unrelated, is there a problem with MR forums, see screenshot below.
View attachment 920116
Yeah I’m experiencing the same issue. I thought it was on my phone, but it happens on my iPad as well.
 

Attachments

Last edited:

fairuz

macrumors 68020
Aug 27, 2017
2,470
2,528
Silicon Valley
As if this "moral to the story" needs to be repeated again: Never trust early revisions of things to be secure. But actually, please do, I need someone to beta-test for me.

Also, why is JWT always such an emphasized detail? Just means your key is inside a JSON object, like many things on the web, whatever.
 

baryon

macrumors 68040
Oct 3, 2009
3,531
1,526
Ah yes, the good old cycle of: Company forces people to implement their "new thing" because "it's just better trust us" >> "New thing" turns out to have serious flaw
This, and the new iOS bugs, the new macOS bugs. And Apple (and other companies too) pretend that there is no conceivable reason for anyone to want to stick with the old tried and tested system despite the fact that it worked just fine.
 

konqerror

macrumors 68020
Dec 31, 2013
2,177
3,490
As if this "moral to the story" needs to be repeated again: Never trust early revisions of things to be secure. But actually, please do, I need someone to beta-test for me.
I'm done updating.
Except there's no choice in this case. The bug didn't require you to use sign in with Apple, it let attackers exploit accounts under their control to get into anybody else's account.
 

tjrchka

macrumors newbie
Dec 19, 2017
5
14
California
Congratulations to Mr. Jain

question I have based on the comments so far,
1. how uncommon are bugs in software/services? not just to Apple, all companies.
2. How do we get new devices/services/functionality, if things don’t change?

I have older friends on 11 year old Macs updated to the latest OS they can run. They have contemporary iPhones that they do 99.99% of what they want or feel capable of doing.

If it weren’t for their iPhones which are newer they’d probably need new computers.
Point being new technology replaces old and new software replaces old. Making it easier for some (which it should in order for it to be good for the user) and frustrating for those not willing to adapt/grow/change.
 

fbr$

macrumors regular
Feb 6, 2020
200
282
I don't care.

I'm done updating.

I'm sick and tired of my phone being artificially slowed.

I'm back to using Linux for things that need to be secure, like banking, etc.
My iPhone 8 Plus is very fast on iOS 13.5.

And my 2017 MacBook Air i5 with 8GB RAM on macOS Catalina 10.15.5 is performing very well on basic tasks (Pages, Safari, Preview, all three apps and other more opened at same time), I think of buying a new MacBook mainly due to the non-Retina display and to get 16GB RAM.
 
  • Like
Reactions: DeepIn2U

Analog Kid

macrumors 603
Mar 4, 2003
5,093
3,240
Apple needs to boost their security team. There's a few things like this that have been slipping through the cracks recently. I get that new features have bugs, but this doesn't seem particularly obscure-- if I'm reading the linked article correctly, you could get a valid token for any Apple ID just by asking for one? If so, it sounds like it wasn't exploited simply because nobody had tried yet...

Perhaps this bug was found (not by Apple) but how many more remain?
Hard pass on ever trying this feature
That same question could be asked of any service. There is no answer to "how many more remain". More mature services will have less bugs, in general, but new features will bring new bugs with them.
 
  • Like
Reactions: AlexGraphicD

sdf

macrumors 6502
Jan 29, 2004
313
247
If it was unexploited and has been patched, there's not much of a story here… except to other businesses that might consider Sign In With Apple.

Luckily, you don't have to use it if you don't use other third party sign-in services.
 

fairuz

macrumors 68020
Aug 27, 2017
2,470
2,528
Silicon Valley
Except there's no choice in this case. The bug didn't require you to use sign in with Apple, it let attackers exploit accounts under their control to get into anybody else's account.
The developer has a choice of which login methods to support, and I'm a developer.

Side note, as a user, it seems you're only vulnerable if you used an email or an Apple ID to sign in, not something else. Email login is (and will always be) less secure for a variety of reasons, plus it opens the user up to spam, so I never use it. Just have some burner Goog and FB accounts, which have a proven security track record.
 
Last edited:

Analog Kid

macrumors 603
Mar 4, 2003
5,093
3,240
Unfortunately as you know Apple is in good company with hacking/exploiting loopholes as this is a cat and mouse game.
That doesn't mean Apple shouldn't tighten up their operation. Maybe others should too, but Apple has had some fairly basic security flaws show up in the past year or two.

The details in this guys blog post are kind of thin, but if I understand the bug he found it allowed anyone to ask for a valid token for an Apple ID and simply get it. I don't think that should be too far down the security hole checklist.
 
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.