Home / Technology / Apple fixes a bug that could have given hackers full access to user accounts

Apple fixes a bug that could have given hackers full access to user accounts



Photo of multiple Apple devices in a row.

Sign in to Apple – a privacy enhancement tool that allows users to sign in to third-party apps without revealing their email addresses. Fixed only one bug that allowed attackers to gain unauthorized access to the same accounts.

“In April, when I signed up for Apple, I found a zero-day that affected third-party applications that used it and didn̵

7;t implement any additional security measures,” wrote app developer Bhavuk Jain on Sunday. “This error could have resulted in full account takeover of user accounts in this third-party application, regardless of whether a victim has a valid Apple ID or not.”

Jain privately reported the bug to Apple as part of the company’s bug bounty program and received a high payout of $ 100,000. The developer shared details after Apple updated the sign-in service to address the vulnerability.

Sign in to Apple, which was introduced in October as an easier, safer, and more private way to sign in to apps and websites. Given the mandate that many third-party iOS and iPadOS apps offer the ability to log in to Apple, it has been taken on by a variety of high-profile services that are entrusted with a large amount of sensitive user data.

Instead of using a social media account or email address, filling out web forms, and choosing an account-specific password, iPhone and iPad users can tap a button and sign in with Face ID, Touch ID, or one Register device passcode. The bug opened up the possibility for users that their accounts would be completely hijacked by third parties.

The sign-up service, which works similarly to the OAuth 2.0 standard, signs in users using a JWT (short for JSON Web Token) or a code generated by an Apple server. In the latter case, the code is then used to create a JWT. Apple offers users the option to share the Apple email ID with third parties or to keep the ID hidden. When users hide the ID, Apple creates a JWT that contains a custom relay ID.

“I have found that I can request JWTs from Apple for any email ID. When the signature of these tokens with the Apple public key was verified, they were displayed as valid,” Jain wrote. “This means that an attacker could fake a JWT by linking any email ID to it and gaining access to the victim’s account.”

There is no indication that the bug was ever actively exploited.


Source link