14.1 C
London
Friday, September 25, 2020

Developer from INDIA earns 75 lakh for finding ‘Sign in with Apple’ bug

5 Survival Basics That Everybody Needs to Know

Basic Survival Fundamentals That Everybody Must KnowHave you ever been lost inside a place exactly where if it were not for assist, you...

Essay Writing Agency – How to Get the Best

Should you need help with your school essays or if you only need some excess help with a school essay, then a writing support...

Group Health Advertising

From the health care environment there are many people concerned about the well-being of their communities, and this includes medical education, community health services...

College Health Education Evaluations – The Way To Answer 5 Questions Concerning College Health Schooling Evaluations

A school health instruction evaluation (SHEA) can be an evaluation of the total wellness and wellbeing of the faculty's students. The School Health...

f 3 3

Security researcher Bhavuk Jain disclosed the flaw to Apple which led to an award from Apple’s bug bounty programme.

A 27-year-old Indian security researcher Bhavuk Jain has grabbed $100,000 (over Rs 75.5 lakh) from Apple for discovering a now-patched Zero-Day vulnerability in the Sign in with Apple account authentication.

The Zero-Day vulnerability could have allowed a hacker to break into an Apple user’s account who log into third-party apps like Dropbox, Spotify, Airbnb and Giphy (now acquired by Facebook) and more.

Jain who holds a bachelor’s degree in electronics and communication discovered Zero-Day bug in ‘Sign in with Apple’ that affected third-party applications which were using it and didn’t implement their own additional security measures.

“This bug could have resulted in a full account takeover of user accounts on that third party application irrespective of a victim having a valid Apple ID or not,” Jain said in a statement on Saturday.

“For this vulnerability, I was paid $100,000 by Apple under their Apple Security Bounty programme,” he announced.

Jain is a full-stack developer interested mostly in mobile app development using React Native. He is currently a full-time bug bounty hunter “trying to make the internet a safer place for everyone”.

Launched in 2019, ‘Sign in with Apple’ is aimed to be a more privacy-focused alternative to third-party logins.

Jain disclosed the flaw to Apple which led to an award from Apple’s bug bounty programme. Apple has since patched the bug.

According to Jain, the ‘Sign in with Apple’ works similarly to ‘OAuth 2.0′.

“There are two possible ways to authenticate a user by either using a JWT (JSON Web Token) or a code generated by the Apple server. The code is then used to generate a JWT,” he explained.

In the second step, while authorizing, Apple gives an option to a user to either share the Apple Email ID with the third-party app or not.

If the user decides to hide the Email ID, Apple generates its own user-specific Apple relay Email ID.

“Depending upon the user selection, after successful authorization, Apple creates a JWT which contains this email ID which is then used by the 3rd party app to log in a user,” said Jain.

He found that he could request JWTs for any email ID from Apple and when the signature of these tokens was verified using Apple’s public key, they showed as valid.

“This means an attacker could forge a JWT by linking any Email ID to it and gaining access to the victim’s account,” Jain noted.

The impact of this vulnerability was quite critical as it could have allowed a full account takeover.

A lot of developers have integrated Sign in with Apple since it is mandatory for applications that support other social logins.

Before patching the bug, Apple did an investigation of their logs and determined there was no misuse or account compromised due to this vulnerability.

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Hot Topics

Tribute ceremony of ex-PM Atal Bihari Vajpayee

Qadian, 16 Aug (Verma) - Remembering former Prime Minister Atal Bihari Vajpayee on his second death anniversary, a tribute ceremony...
00:01:11

PIA aircraft crashes in residential area near Karachi airport

At least 45 dead as Pakistan plane crashes in residential area in Karachi KARACHI: A Pakistan International Airlines...

Indian families stranded in Pakistan appeal for help

Two families from India who were visiting Pakistan are now stranded in Pakistan due to the closure of the Attari-Wagah border amid...

Related Articles

Apple’s iPhone 12 to be much cheaper than expected; here’s why

Apple has delayed the launch of the iPhone 12 series possibly due to the pandemic. The iPhone 12 series is expected to...

Beijing says residents can go mask-free as coronavirus cases in China hit new lows

It`s the second time Beijing`s health authorities have relaxed guidelines on mask-wearing in the capital, which has largely returned to normal after...

“Enough Is Enough”: Amarinder Singh’s New Lockdown Rules For Punjab

As part of the emergency, measures announced today both government and private offices will function at 50 per cent capacity