Apple’s “Sign in with Apple” feature was touted as a secure way to log into any third-party app. This feature allows users to generate random identifiers that will be used to securely log onto various apps such as Airbnb, Dropbox, Spotify, and now Facebook-owned Giphy. A developer, however, found that it’s not that secure: it can be used to take over accounts belonging to other people.
According to a full stack developer named Bhavuk Jain, a bug in Sign in with Apple could be used to make a “full account takeover of user accounts” on third-party apps that use Apple’s login feature but “didn’t implement their own additional security measures.”
Here’s how the bug works:
The Sign in with Apple feature uses a secure login process that takes several steps to finish. Attackers will be able to gain access to a user’s account by exploiting a flaw in one of these steps.
Logging in using Sign in with Apple involves Apple’s authorization server giving users the option to choose between sharing his/her Apple ID with the third-party app or not. If the user refuses to share the Apple ID to the app, Apple will generate a unique Apple relay Email ID.
Apple will create a JWT (JSON Web Token) after successful authorization. The JWT, which contains the aforementioned Email ID, will then be used by the third-party app to log in the user.
Jain said this process involving the JWT can be manipulated to gain access to a user’s account. The developer said “I could request JWTs for any Email ID from Apple and when the signature of these tokens was verified using Apple’s public key, they showed as valid,” and explained that attackers can simply use this vulnerability to forge any JWT using any Email ID to gain full account access.
Is this serious?
Jain noted that this flaw could have “critical” repercussions considering that it can grant attackers full access to any user’s account wherever Sign in with Apple is used.
Apple, after receiving Jain’s report, investigated its logs and said no account was comprised due to the flaw. It also rewarded the developer $100,000 for discovering and reporting the vulnerability, which has now been fixed, 9To5Mac reported.