Skip to main content

Sign in with Apple vulnerability allowed unauthorised access to linked accounts

Apple’s “Sign in with Apple”  was found to have a vulnerability that would allow hackers to gain access to any account that was linked with the service. The vulnerability was discovered by Bhavuk Jain, an Indian security researcher who promptly reported to Apple. Apple investigated the matter, Apple did conclude the vulnerability to be real and awarded the researcher a sum of $10,000 as part of the bug-bounty program.

The vulnerability in question was around how Apple validated users “on the client-side before initiating a request from Apple’s authentication services.” A JSON Web token would be generated by the server which would be used by the third-party service to authenticate the user. The vulnerability would allow this token to be spoofed, leading to any malicious actor to gain access to a user’s account. "I found I could request JWTs for any Email ID from Apple, and when the signature of these tokens was verified using Apple's public key, they showed as valid. This means an attacker could forge a JWT by linking any Email ID and gaining access to the victim's account," Jain said in an Interview with The Hacker News. The vulnerability would impact even those users who chose to hide or not share their email IDs during the login process.

Apple had introduced Sign in With Apple last year at WWDC as a means of providing iOS users an alternative to having to use their Facebook or Google IDs to log into third-party applications. The need arose from the fact that Facebook and Google were leveraging these sign-in for advertising purposes and even going so far as to tracking user behaviour. Facebook was even accused of selling user data to third parties, and then there was the Cambridge Analytica scandal. Twitter too was accused of selling user data to the people behind Cambridge Analytica. Apple’s pitch with Sign in with Apple was that the service wouldn’t collect or track user behaviour. In fact, Apple even built an email anonymizer into the service, where users could opt to not share their e-mail IDs with the platform they were logging into. In the backend, Apple would create a bridge email ID which would forward any correspondence from the platform to the users’ actual email ID. Sign in with Apple would generate unique e-mail IDs for every service you sign into, provided you choose to not share your email ID with that service.

Apple has stated that the vulnerability in question has been patched by the company and that after verifying their server logs, say that no accounts were accessed illegitimately.



from Latest Technology News https://ift.tt/3eDEpIe

Comments

Popular posts from this blog

Infinix Note 40X 5G With Dimensity 6300 5G SoC, 108-Megapixel Rear Camera Launched in India: All Details

Infinix Note 40X 5G was launched in India on Monday (August 5). The latest Note series phone from the Transsion Holdings subsidiary comes with a MediaTek Dimensity 6300 5G under the hood paired with up to 12GB of RAM. The Infinix Note 40X 5G boasts a triple rear camera setup headlined by a 108-megapixel main sensor and packs a 5,000mAh battery. from Gadgets 360 https://ift.tt/ZIHkQUw

Amazon Great Indian Festival Sale 2023: Best Camera Smartphones Under Rs. 20,000

Amazon Great Indian Festival Sale 2023 is currently underway with great offers and discounts on a wide range of products. If you are on a tight budget and looking to upgrade to a smartphone with better camera features, the ongoing sale currently offers plenty of choices. Here are some of the best camera smartphones under Rs. 20,000. from Gadgets 360 https://ift.tt/AUWj8uo

Samsung Galaxy S25 Series Could Reportedly Arrive With Exynos 2500 Chip, as Samsung Attempts to Improve Yield

Samsung Galaxy S25 series could be equipped with an Exynos 2500 chipset after all, according to a South Korean publication, following reports that the company would use Qualcomm's next-generation Snapdragon mobile processor for its upcoming flagship smartphones. The firm is reportedly working on improving the yield of its chipset, with only a few months to go before t... from Gadgets 360 https://ift.tt/ZqHS8yj