Apple account takeover bug nets researcher US$100,000

Apple appears to have dodged a massive bullet after researcher discovered a gaping hole in its sign-in authentication system that allowed full account takeover in third-party apps, and possibly services such as iCloud as well.

In April this year, Delhi-based bug bounty hunter Bhavuk Jain found that the Sign in with Apple system could easily be tricked into handing over Javascript Object Notation (JSON) authentication tokens for any users' email addresses.

Apple's security team confirmed the bug in the OAUTH style sign in system, and paid Jain a US$100,000 bounty for finding it.

Sign in with Apple is mandatory for third-party applications such as Dropbox, Spotify, and AirBnB that use other social logins like Facebook and Google, and gives users the option of reducing the amount of data they have to hand over.

Users can either provide their Apple ID email address to third party apps, or hide it.

In the latter case, Sign in with Apple creates a one-off Apple ID email address for the user, and the server creates a signed JWT that is verified with public key cryptography.

Jain said the bug in the sign-in server-side authentication code was "quite critical" as it could have allowed full account takeover for services that use Sign in with Apple.

"I found I could request JWTs for any Email ID from Apple, and when the signture of these tokes was verified using Apple's public key, the showed as valid.

This means an attacker could forge a JWT by linking any Email ID to it, and gain access to the victim's account," Jain wrote.

Apple told Jain that their investigation of logs showed no misuse or account compromises from the vulnerability.

Other developers speculated that the bug could have been used to access Apple services as well, as the company's security bounty payouts page lists an award of US$100,000 for "broad, unauthorised control of an iCloud account", the only category that fits Jain's report.