Stay up to date with notifications from The Independent

Notifications can be managed in browser preferences.

The Independent's journalism is supported by our readers. When you purchase through links on our site, we may earn commission.

Apple fixes sign-in bug that would have let anyone log into your apps

The bug affected 'Sign in with Apple', a way for iOS users to log into apps that avoided competing, popular services from Facebook and Google 

Adam Smith
Tuesday 02 June 2020 16:05 BST
Comments
Apple says the new iPhone SE features the most advanced single-camera system it has ever made
Apple says the new iPhone SE features the most advanced single-camera system it has ever made

Apple has fixed a sign-in bug that could have allowed malicious individuals to take control of a user’s account, paying $100,000 to the person who found it.

The flaw relates to the “Sign in with Apple” feature, which the company introduced in 2019 as a privacy-focused alternative to the sign-in options from Facebook or Google, yet one that is easier than using an email login.

At the end of May, however, developer Bhavuk Jain disclosed a software vulnerability which meant that hackers could have achieved a “full account takeover of user accounts on that third party application irrespective of a victim having a valid Apple ID or not.”

The issue was caused by code generated from Apple’s servers that was used to log in based on a user’s Apple ID email, but it was found that code could be generated for any email identification and Apple would verify the login.

“Sign in with Apple” works by using a JWT (JSON Web Token) or a code from the Apple server. The request is made to the server, a JWT is sent to the user, which then logs into the third party application via Apple’s servers again. All of this is done almost instantly.

However, Jain found that the JWT request was not secure. “I could request JWTs for any Email ID from Apple and when the signature of these tokens was verified using Apple’s public key, they showed as valid. This means an attacker could forge a JWT by linking any Email ID to it and gaining access to the victim’s account,” Jain wrote.

After disclosing the bug, Jain received $100,000 as part of Apple’s bug bounty program. Apple says that it had checked its server logs and found no evidence that the exploit was used to take control of any accounts.

This is not the only patch Apple had to make to its iOS 13.5 update. It also patched a jailbreak exploit before the launch of its new operating system that has reportedly been circulating on the internet since at least February.

Join our commenting forum

Join thought-provoking conversations, follow other Independent readers and see their replies

Comments

Thank you for registering

Please refresh the page or navigate to another page on the site to be automatically logged inPlease refresh your browser to be logged in