Indian developer wins ₹75 lakh for reporting a critical flaw in 'Sign in with Apple'
Bhavuk Jain, a 27-year-old Indian security researcher has gained $100,000 (over Rs 75.5 lakh) from Apple for discovering a now-patched Zero Day vulnerability in the Sign in with Apple account authentication. The Zero Day vulnerability could have allowed a hacker to break into an Apple user’s account who log into third-party apps like Dropbox, Spotify, Airbnb and Giphy and more.
With a Bachelor’s degree in Electronics and Communication, Jain has discovered the Zero Day bug in Sign in with Apple that affected third-party applications which were using it, and did not implement their own additional security measures.
According to Jain, this bug could have resulted in a full account takeover of user accounts on that third party application irrespective of a victim having a valid Apple ID or not. For this vulnerability, he has been paid $100,000 by Apple under their Apple Security Bounty programme.
'Sign in with Apple’ is aimed to be a more privacy-focused alternative to third-party logins. Jain disclosed the flaw to Apple which led to an award from Apple’s bug bounty programme. Apple has since patched the bug. According to Jain, the Sign in with Apple’ works similarly to OAuth 2.0′.
In the second step, while authorizing, Apple gives an option to a user to either share the Apple Email ID with the third party app or not. If the user decides to hide the Email ID, Apple generates its own user-specific Apple relay Email ID. He found that he could request JWTs for any email ID from Apple and when the signature of these tokens was verified using Apple’s public key, they showed as valid.Through this an attacker could forge a JWT by linking any Email ID to it and gaining access to the victim’s account.
See What’s Next in Tech With the Fast Forward Newsletter
Tweets From @varindiamag
Nothing to see here - yet
When they Tweet, their Tweets will show up here.