A cybersecurity researcher in India has claimed a $100,000 (£79,640) reward offered by Apple for exposing a critical flaw in its security systems.
Bhavuk Jain found that the Apple ID bug, which affected its ‘Sign in with Apple‘ system, would have allowed hackers to take control of a user account on third-party services and apps.
The ‘Sign in With Apple’ feature was released in 2019 and gives users the ability to maintain their privacy when using iOS apps.
The system allows a user to log into apps by pressing a dedicated button and authenticating via Face ID without sharing private data with a third-party company.
When a user logs in, a JSON Web Token (JWT) is used to authenticate the account, and this token can contain the user’s Apple ID email address depending on which options are selected.
Jain found that he could request a JWT for any Apple account and the signature would be verified as valid each time.
A hacker would then only need to know the email address associated with an Apple ID to get a validated token and obtain access to the account.
In a blog post, Jain commented: “I found I could request JWTs for any Email ID from Apple and when the signature of these tokens was verified using Apple’s public key, they showed as valid.
“This means an attacker could forge a JWT by linking any Email ID to it and gaining access to the victim’s account.”
There is potential for the vulnerability to have a major impact on other log-in pages, as many developers have integrated Sign in with Apple since it is mandatory for applications that support other social logins.
“To name a few that use Sign in with Apple – Dropbox, Spotify, Airbnb, Giphy (Now acquired by Facebook),” Jain commented in the post.
“These applications were not tested but could have been vulnerable to a full account takeover if there weren’t any other security measures in place while verifying a user.”
Apple says that, during the process to patch the issue, it reviewed its server and determined the flaw had not been exploited. It also says that accounts using two-factor authentication are less likely to be vulnerable to the bug.
- Ethical Hackers and Their Role in Cybersecurity
- Tech Industry the Least Secure Against Cyber Attacks, say Hackers
- Scottish Veterans to be Reskilled to Fill Cybersecurity Skills Gap
This latest lucrative bounty is relatively small compared to previous bug hunting endeavours. In March 2019, a self-taught 19 year old bug bounty hunter made history by becoming the first millionaire from ethical hacking.
Santiago Lopez has reported thousands of security flaws to organisations since beginning his legal hacking career in 2015, including social media platform Twitter, Verizon Media Company and a host of private corporate and government entities.
There has been a recent demand for strengthened cybersecurity, particularly since the coronavirus pandemic, causing an increase in ethical hackers worldwide.
Curious Frank, a subdivision run by the Scottish Business Resilience Centre (SBRC) to support business resilience through ethical hacking, reported its highest level of enrolment since it began in February of this year.
The company saw a 30% increase since 2018, as well as 2020 seeing more female students enrolled in the course than any previous year.
Eamonn Keane, COO for Cyber and Innovation, commented at the time: “With technology advancing and more and more criminal activities taking place online, we need a growing multiplicity of cyber-associated roles to include ethical hackers who are trained to identify and reduce the potential attack surface and reduce cybercrime.
“Identifying and mitigating weaknesses is an essential component of an overarching cybersecurity strategy and highly recommended in the ‘defence in depth’ application for Scottish businesses.”