Now Patched 'Sign in With Apple' Bug Left Users Open to Attack

[MacRumors]

Researcher Bhavuk Jain in April discovered a critical Sign in With Apple vulnerability that could have resulted in a takeover of some user accounts. The bug was specific to third party apps that used Sign in With Apple and didn't implement additional security measures.

Jain notes that Sign in With Apple works by authenticating a user through a JWT (JSON Web Token) or a code that's generated by Apple's server. Apple then gives users the option to share either the email tied to their Apple ID or a private relay email address,which creates a JWT that's used to log in a user.

Jain then discovered that once JWTs for both Apple ID emails and private relay email addresses were requested and the token's signature was verified using Apple's public key, it "showed as valid." Should the bug have not been discovered, a JWT could be created and used to gain access to one's account.

In an interview with The Hacker News, Jain spoke about the severity of the bug:

The impact of the this vulnerability was quite critical as it could have allowed a full account takeover. Many developers have integrated Sign in with Apple since it is mandatory for applications that support other social logins. To name a few that use Sign in with Apple - Dropbox, Spotify, Airbnb, Giphy (now acquired by Facebook).

According to Jain, Apple conducted an investigation and concluded that no accounts were compromised using this method before the vulnerability was patched. Jain was paid $100,000 by Apple under its Apple Security Bounty Program for reporting the bug.

Article Link: Now Patched 'Sign in With Apple' Bug Left Users Open to Attack

 

[Aston441]

I don't care.

I'm done updating.

I'm sick and tired of my phone being artificially slowed.

I'm back to using Linux for things that need to be secure, like banking, etc.

 

[SBlue1]

100,000? Well deserved.

 

[now i see it]

Perhaps this bug was found (not by Apple) but how many more remain?
Hard pass on ever trying this feature

 

[justperry]

$100.000 comes in handy, could buy myself 2 X completely loaded (well almost) Mac Pro's.
Or half an appartement.
Actually, now I think of it, 4 X fully loaded Mac Pro's buys me a nice appartement...WTF.

As for the Researcher, well done, you deserve it.



Unrelated, is there a problem with MR forums, see screenshot below.

 

[Peace]

I’m getting burned out on timmys security problems .

windows is looking better

 

[I7guy]

I’m getting burned out on timmys security problems .

windows is looking better

Windows is better? Sure windows is as tight as a drum as far as that goes.

Just keep patching them Timmy.

 

[Peace]

Windows is better? Sure windows is as tight as a drum as far as that goes.

Just keep patching them Timmy.

Do not misquote me .
I said windows is looking better.

what part of that do I need to explain ?

 

[ConfusedChris]

How about Apple are also fined some huge amount for letting this slip?
I expect bugs, but I don’t expect my whole account to be potentially vulnerable.

 

[Populus]

Well deserved reward, this could have been a big security flaw.
I’m starting to use Sign in with Apple because I think is one of the best ideas Apple has had lately.

Why I waited until now? Because the devs have been pretty slow to adopt it... and I’m not sure all devs will implement this, such as Instagram or Tinder. We’ll see, June is the deadline to implement Sign in with Apple on the apps it is mandatory.
___________________________________________________

Unrelated, is there a problem with MR forums, see screenshot below.
View attachment 920116

Yeah I’m experiencing the same issue. I thought it was on my phone, but it happens on my iPad as well.

 

[I7guy]

Do not misquote me .
I said windows is looking better.

what part of that do I need to explain ?

Play semantics much? I didn’t misquote you. I quoted you exactly.

 

[fairuz]

As if this "moral to the story" needs to be repeated again: Never trust early revisions of things to be secure. But actually, please do, I need someone to beta-test for me.

Also, why is JWT always such an emphasized detail? Just means your key is inside a JSON object, like many things on the web, whatever.

 

[luvbug]

Great catch; great payday! Thank you Mr. Jain!

 

[baryon]

Ah yes, the good old cycle of: Company forces people to implement their "new thing" because "it's just better trust us" >> "New thing" turns out to have serious flaw
This, and the new iOS bugs, the new macOS bugs. And Apple (and other companies too) pretend that there is no conceivable reason for anyone to want to stick with the old tried and tested system despite the fact that it worked just fine.

 

[konqerror]

As if this "moral to the story" needs to be repeated again: Never trust early revisions of things to be secure. But actually, please do, I need someone to beta-test for me.

I'm done updating.

Except there's no choice in this case. The bug didn't require you to use sign in with Apple, it let attackers exploit accounts under their control to get into anybody else's account.

 

[B4U]

Are we getting numb with the constant SW issues that Apple is having lately?

 

[cmaier]

I don't care.

I'm done updating.

I'm sick and tired of my phone being artificially slowed.

I'm back to using Linux for things that need to be secure, like banking, etc.

You know this wasn’t a bug in the client software or operating system, right?

 

[tjrchka]

Congratulations to Mr. Jain

question I have based on the comments so far,
1. how uncommon are bugs in software/services? not just to Apple, all companies.
2. How do we get new devices/services/functionality, if things don’t change?

I have older friends on 11 year old Macs updated to the latest OS they can run. They have contemporary iPhones that they do 99.99% of what they want or feel capable of doing.

If it weren’t for their iPhones which are newer they’d probably need new computers.
Point being new technology replaces old and new software replaces old. Making it easier for some (which it should in order for it to be good for the user) and frustrating for those not willing to adapt/grow/change.

 

[fbr$]

I don't care.

I'm done updating.

I'm sick and tired of my phone being artificially slowed.

I'm back to using Linux for things that need to be secure, like banking, etc.

My iPhone 8 Plus is very fast on iOS 13.5.

And my 2017 MacBook Air i5 with 8GB RAM on macOS Catalina 10.15.5 is performing very well on basic tasks (Pages, Safari, Preview, all three apps and other more opened at same time), I think of buying a new MacBook mainly due to the non-Retina display and to get 16GB RAM.

 

[Analog Kid]

Apple needs to boost their security team. There's a few things like this that have been slipping through the cracks recently. I get that new features have bugs, but this doesn't seem particularly obscure-- if I'm reading the linked article correctly, you could get a valid token for any Apple ID just by asking for one? If so, it sounds like it wasn't exploited simply because nobody had tried yet...

Perhaps this bug was found (not by Apple) but how many more remain?
Hard pass on ever trying this feature

That same question could be asked of any service. There is no answer to "how many more remain". More mature services will have less bugs, in general, but new features will bring new bugs with them.

 

[I7guy]

Apple needs to boost their security team. There's a few things like this that have been slipping through the cracks recently....

Unfortunately as you know Apple is in good company with hacking/exploiting loopholes as this is a cat and mouse game.

 

[sdf]

If it was unexploited and has been patched, there's not much of a story here… except to other businesses that might consider Sign In With Apple.

Luckily, you don't have to use it if you don't use other third party sign-in services.

 

[fairuz]

Except there's no choice in this case. The bug didn't require you to use sign in with Apple, it let attackers exploit accounts under their control to get into anybody else's account.

The developer has a choice of which login methods to support, and I'm a developer.

Side note, as a user, it seems you're only vulnerable if you used an email or an Apple ID to sign in, not something else. Email login is (and will always be) less secure for a variety of reasons, plus it opens the user up to spam, so I never use it. Just have some burner Goog and FB accounts, which have a proven security track record.

 

[konqerror]

If it was unexploited and has been patched, there's not much of a story here… except to other businesses that might consider Sign In With Apple.

Bugs are a symptom, not the flaw. The constant stream of problems coming out from Apple shows their software development and QA processes are severely flawed.

 

[Analog Kid]

Unfortunately as you know Apple is in good company with hacking/exploiting loopholes as this is a cat and mouse game.

That doesn't mean Apple shouldn't tighten up their operation. Maybe others should too, but Apple has had some fairly basic security flaws show up in the past year or two.

The details in this guys blog post are kind of thin, but if I understand the bug he found it allowed anyone to ask for a valid token for an Apple ID and simply get it. I don't think that should be too far down the security hole checklist.