Sunday, November 24, 2024
HomeBug Bounty$100,000 Bounty Apple Zero-day Bug in "Sign in with Apple" Let Hackers...

$100,000 Bounty Apple Zero-day Bug in “Sign in with Apple” Let Hackers Take Takeover of Apple User Accounts

Published on

Indian Security researcher found a critical Zero-day vulnerability in “Sign in with Apple” let hackers take over the third-party application accounts by just having their Email ID.

Very Similar to OAuth 2.0, Apple’s “sign in with Apple” helping the user to sign in to their third-party apps and websites faster using their Apple ID without filling out forms, verifying email addresses.

This feature is using million of Apple users to sign in their Third-party apps such as Dropbox, Spotify, Airbnb, Giphy, and the bug considering as “Critical” as it could have allowed full account takeover by the remote attackers.

- Advertisement - SIEM as a Service

 Bhavuk Jain , Security Researcher from India reported this critical vulnerability to Apple said: “Successfully exploitation of the bug could have resulted in a full account takeover of user accounts on that third party application irrespective of a victim having a valid Apple ID or not.”

The Account Take Over Zero day

Jain explained that Apple using JWT (JSON Web Token) that generated from Apple Server to securely authenticate the user with an Email ID and allow users to log in to the 3rd party app.

But due to the improper validation, the zero-day bug let attackers request JWTs for any Email ID from Apple and the email ID is verified as valid when the signature of these tokens was verified using Apple’s public key.

It leads an attacker to forge the JWTs to link with any Email ID and gain access to the victim’s 3rd party account.

“I found I could request JWTs for any Email ID from Apple and when the signature of these tokens was verified using Apple’s public key, they showed as valid. This means an attacker could forge a JWT by linking any Email ID to it and gaining access to the victim’s account.” Jain Explained in Blog post.

Jain also confirmed that the bug can also be exploited by the user’s account who decides to hide the Email ID, since Apple generates its own user-specific Apple relay Email ID.

Apple also rewarded $100,000 bounty under Apple security bounty for ethically reporting the critical vulnerability.

Apple security Team confirmed that bug wasn’t exploited after an investigation of their server logs and the bug has been fixed.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Nearest Neighbor Attacks: Russian APT Hack The Target By Exploiting Nearby Wi-Fi Networks

Recent research has revealed that a Russian advanced persistent threat (APT) group, tracked as...

240+ Domains Used By PhaaS Platform ONNX Seized by Microsoft

Microsoft's Digital Crimes Unit (DCU) has disrupted a significant phishing-as-a-service (PhaaS) operation run by...

Russian TAG-110 Hacked 60+ Users With HTML Loaded & Python Backdoor

The Russian threat group TAG-110, linked to BlueDelta (APT28), is actively targeting organizations in...

Earth Kasha Upgraded Their Arsenal With New Tactics To Attack Organizations

Earth Kasha, a threat actor linked to APT10, has expanded its targeting scope to...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

Critical Arc Browser Vulnerability Let Attackers Execute Remote Code

Arc's Boosts feature lets users customize websites with CSS and JavaScript. While JavaScript Boosts...

New TE.0 HTTP Request Smuggling Flaw Impacts Google Cloud Websites

HTTP Request Smuggling is a flaw in web security that is derived from variations...

The Problem With Bug Bounties

A Technically Skilled individual who finds a bug faces an ethical decision: report the...