$100,000 Bounty Apple Zero-day Bug in “Sign in with Apple” Let Hackers Take Takeover of Apple User Accounts

Indian Security researcher found a critical Zero-day vulnerability in “Sign in with Apple” let hackers take over the third-party application accounts by just having their Email ID.

Very Similar to OAuth 2.0, Apple’s “sign in with Apple” helping the user to sign in to their third-party apps and websites faster using their Apple ID without filling out forms, verifying email addresses.

This feature is using million of Apple users to sign in their Third-party apps such as Dropbox, Spotify, Airbnb, Giphy, and the bug considering as “Critical” as it could have allowed full account takeover by the remote attackers.

 Bhavuk Jain , Security Researcher from India reported this critical vulnerability to Apple said: “Successfully exploitation of the bug could have resulted in a full account takeover of user accounts on that third party application irrespective of a victim having a valid Apple ID or not.”

The Account Take Over Zero day

Jain explained that Apple using JWT (JSON Web Token) that generated from Apple Server to securely authenticate the user with an Email ID and allow users to log in to the 3rd party app.

But due to the improper validation, the zero-day bug let attackers request JWTs for any Email ID from Apple and the email ID is verified as valid when the signature of these tokens was verified using Apple’s public key.

It leads an attacker to forge the JWTs to link with any Email ID and gain access to the victim’s 3rd party account.

“I found I could request JWTs for any Email ID from Apple and when the signature of these tokens was verified using Apple’s public key, they showed as valid. This means an attacker could forge a JWT by linking any Email ID to it and gaining access to the victim’s account.” Jain Explained in Blog post.

Jain also confirmed that the bug can also be exploited by the user’s account who decides to hide the Email ID, since Apple generates its own user-specific Apple relay Email ID.

Apple also rewarded $100,000 bounty under Apple security bounty for ethically reporting the critical vulnerability.

Apple security Team confirmed that bug wasn’t exploited after an investigation of their server logs and the bug has been fixed.

If you’re willing to learn Bug bounty, you can take a complete Master Level Bug Bounty Course training from Ethical Hackers Academy to learn, find, and report the security vulnerabilities in hundreds of vendors.

Also Read: HackerOne Paid $100 Million in Bug Bounties to Ethical Hackers

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.

BALAJI N

Recent Posts

Operation HAECHI III – INTERPOL Arrested 1000 Cyber Criminals & Seized $130 Million

Recently, there have been almost 1000 arrests made as a result of a police operation…

7 hours ago

Hackers Rewritten The RansomExx Ransomware in Rust Language To Evade Detection

There has recently been a discovery made by IBM Security X-Force Threat Researchers regarding a…

23 hours ago

Web Application Penetration Testing Checklist – A Detailed Cheat Sheet

Web Application Pentesting is a method of identifying, analyzing and Report the vulnerabilities which are…

3 days ago

Chrome Extension Deploy Windows Malware to Steal Cryptocurrency and Clipboard Contents

In order to steal cryptocurrency and clipboard contents, ViperSoftX was detected by the security analysts…

3 days ago

Google Released Over 165 YARA Rules to Detect Cobalt Strike Components in Their Networks

There is a collection of IOCs from VirusTotal and YARA Rules that has been recently…

4 days ago

Hackers Use New Ransomware that Encrypts Files & Steals Tokens From Victim’s Machine

Security researchers at Cyble recently identified that the authors of ransomware now have access to…

5 days ago