To many users (including this writer), the options to sign in to 3rd party services with your Google, Facebook, and Apple accounts is probably the most convenient way to log in. Apple, for their part, made it clear that “Sign in with Apple” is an option that puts privacy first.
Now, a new bug that could have critically affected the privacy of “Sign in with Apple” users has been discovered. The Apple Security Bounty program, which rewards devs who discover security flaws—and report them—has just paid out US$100,000 to Bhavuk Jain, a researcher from India.
The bug has since been patched by Apple, and Jain also published an explanation that reveals the severity of the flaw.
Jain explains that the bug is related to the validation done by Apple on the client side of things, calling it a “zero-day” bug. Had the bug not been reported and patched, it could even have meant full access to 3rd party user accounts by malicious parties.
So, how does it work?
When a user signs in with their Apple account on supported 3rd party sites, a JSON Web Token (JWT) that holds authenticating information is generated. However, despite a requirement for users to log into their Apple accounts, Apple servers did not validate if the request for the JWT was from the same user during the next step.
JWTs can be requested for any Apple ID email, and so long as they are verified, they will be valid to Apple’s servers. And without the extra validation step, this could have potentially led to remote access for attackers by forging a JWT during the process.
“I found I could request JWTs for any Email ID from Apple and when the signature of these tokens was verified using Apple’s public key, they showed as valid. This means an attacker could forge a JWT by linking any Email ID to it and gaining access to the victim’s account.”
The bug has now reportedly been patched, which is certainly good news. Jain warns that vulnerability extended to some pretty widely-used applications—Dropbox, Spotify, Airbnb, Giphy, to name a few. Apple has also claimed that there was “no misuse or account compromise” due to this particular flaw, according to Jain.
Regardless, Jain picked up US$100,000 (~RM432K) for his efforts:
“A huge thanks to the Apple Security Team.”
[ SOURCE ]
Samsung Malaysia has unveiled its latest Bespoke AI home appliances which includes its new side-by-side…
After launching the Camon 40 Pro 4G last month, Tecno has now launched its 5G…
After much teasing, the Google Pixel 9a is now officially available for purchase in Malaysia.…
[ UPDATE 16/04/2025 11:50 ] The Xpeng X9 2025 RHD is now available in Hong…
U Mobile today has officially announced Huawei and ZTE as its network technology partners for…
Apple first introduced the Activity rings with its very first Apple Watch in 2015. The…
This website uses cookies.
![](data:image/svg+xml;charset=utf-8,<svg height="725px" width="1200px" xmlns="http://www.w3.org/2000/svg" version="1.1"/>)
![](data:image/svg+xml;charset=utf-8,<svg height="711px" width="1200px" xmlns="http://www.w3.org/2000/svg" version="1.1"/>)
