- Joined
- Jun 13, 2020
- Messages
- 6,564
- Reaction score
- 891
- Points
- 212
- Awards
- 2
A dangerous vulnerability was contained in the "Sign in with Apple."
Security Researcher Bhawuk Jain discovered a dangerous vulnerability in Apple Login. The exploitation of the vulnerability allows an attacker to remotely bypass authentication and take control of the accounts of target users in third-party services and applications that use the "Sign in with Apple" function for authorization.
Launched last year, the “Sign in with Apple” feature was introduced as an authentication option while maintaining confidentiality, allowing you to register accounts in third-party applications without revealing an email address.
The vulnerability was related to the way Apple checked the user on the client side before initiating a request from Apple authentication servers. During user authentication through the "Log in with Apple" function, the server generates a JSON Web Token (JWT) containing confidential information that a third-party application uses to verify the identity of the user who is logged in. Although the company asks users to log in to their Apple account before starting the request, it did not check if the same person is requesting JSON Web Token (JWT) in the next step from their authentication server.
Thus, the absence of this check could allow an attacker to provide an Apple ID belonging to the victim by tricking Apple servers into creating a JWT payload and entering a third-party service using the victim’s data.
According to the expert, the vulnerability can be exploited even if the user hid his email identifier from third-party services, and can also be used to register a new account with the victim’s Apple ID.
Bhavuk reported his findings to the Apple security team last month, and the company fixed the vulnerability.
__________________
Security Researcher Bhawuk Jain discovered a dangerous vulnerability in Apple Login. The exploitation of the vulnerability allows an attacker to remotely bypass authentication and take control of the accounts of target users in third-party services and applications that use the "Sign in with Apple" function for authorization.
Launched last year, the “Sign in with Apple” feature was introduced as an authentication option while maintaining confidentiality, allowing you to register accounts in third-party applications without revealing an email address.
The vulnerability was related to the way Apple checked the user on the client side before initiating a request from Apple authentication servers. During user authentication through the "Log in with Apple" function, the server generates a JSON Web Token (JWT) containing confidential information that a third-party application uses to verify the identity of the user who is logged in. Although the company asks users to log in to their Apple account before starting the request, it did not check if the same person is requesting JSON Web Token (JWT) in the next step from their authentication server.
Thus, the absence of this check could allow an attacker to provide an Apple ID belonging to the victim by tricking Apple servers into creating a JWT payload and entering a third-party service using the victim’s data.
According to the expert, the vulnerability can be exploited even if the user hid his email identifier from third-party services, and can also be used to register a new account with the victim’s Apple ID.
Bhavuk reported his findings to the Apple security team last month, and the company fixed the vulnerability.
__________________