Saturday, November 2, 2024
HomeBug Bounty$100,000 Bounty Apple Zero-day Bug in "Sign in with Apple" Let Hackers...

$100,000 Bounty Apple Zero-day Bug in “Sign in with Apple” Let Hackers Take Takeover of Apple User Accounts

Published on

Malware protection

Indian Security researcher found a critical Zero-day vulnerability in “Sign in with Apple” let hackers take over the third-party application accounts by just having their Email ID.

Very Similar to OAuth 2.0, Apple’s “sign in with Apple” helping the user to sign in to their third-party apps and websites faster using their Apple ID without filling out forms, verifying email addresses.

This feature is using million of Apple users to sign in their Third-party apps such as Dropbox, Spotify, Airbnb, Giphy, and the bug considering as “Critical” as it could have allowed full account takeover by the remote attackers.

- Advertisement - SIEM as a Service

 Bhavuk Jain , Security Researcher from India reported this critical vulnerability to Apple said: “Successfully exploitation of the bug could have resulted in a full account takeover of user accounts on that third party application irrespective of a victim having a valid Apple ID or not.”

The Account Take Over Zero day

Jain explained that Apple using JWT (JSON Web Token) that generated from Apple Server to securely authenticate the user with an Email ID and allow users to log in to the 3rd party app.

But due to the improper validation, the zero-day bug let attackers request JWTs for any Email ID from Apple and the email ID is verified as valid when the signature of these tokens was verified using Apple’s public key.

It leads an attacker to forge the JWTs to link with any Email ID and gain access to the victim’s 3rd party account.

“I found I could request JWTs for any Email ID from Apple and when the signature of these tokens was verified using Apple’s public key, they showed as valid. This means an attacker could forge a JWT by linking any Email ID to it and gaining access to the victim’s account.” Jain Explained in Blog post.

Jain also confirmed that the bug can also be exploited by the user’s account who decides to hide the Email ID, since Apple generates its own user-specific Apple relay Email ID.

Apple also rewarded $100,000 bounty under Apple security bounty for ethically reporting the critical vulnerability.

Apple security Team confirmed that bug wasn’t exploited after an investigation of their server logs and the bug has been fixed.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

LightSpy iOS Malware Enhanced with 28 New Destructive Plugins

The LightSpy threat actor exploited publicly available vulnerabilities and jailbreak kits to compromise iOS...

ATPC Cyber Forum to Focus on Next Generation Cybersecurity and Artificial Intelligence Issues

White House National Cyber Director, CEOs, Key Financial Services Companies, Congressional and Executive Branch...

New PySilon RAT Abusing Discord Platform to Maintain Persistence

Cybersecurity experts have identified a new Remote Access Trojan (RAT) named PySilon. This Trojan...

Konni APT Hackers Attacking Organizations with New Spear-Phishing Tactics

The notorious Konni Advanced Persistent Threat (APT) group has intensified its cyber assault on...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

Critical Arc Browser Vulnerability Let Attackers Execute Remote Code

Arc's Boosts feature lets users customize websites with CSS and JavaScript. While JavaScript Boosts...

New TE.0 HTTP Request Smuggling Flaw Impacts Google Cloud Websites

HTTP Request Smuggling is a flaw in web security that is derived from variations...

The Problem With Bug Bounties

A Technically Skilled individual who finds a bug faces an ethical decision: report the...