Now Patched 'Sign in With Apple' Bug Left Users Open to Attack
Researcher Bhavuk Jain in April discovered a critical Sign in With Apple vulnerability that could have resulted in a takeover of some user accounts. The bug was specific to third party apps that used Sign in With Apple and didn't implement additional security measures.
Jain notes that Sign in With Apple works by authenticating a user through a JWT (JSON Web Token) or a code that's generated by Apple's server. Apple then gives users the option to share either the email tied to their Apple ID or a private relay email address,which creates a JWT that's used to log in a user.
Jain then discovered that once JWTs for both Apple ID emails and private relay email addresses were requested and the token's signature was verified using Apple's public key, it "showed as valid." Should the bug have not been discovered, a JWT could be created and used to gain access to one's account.
In an interview with The Hacker News, Jain spoke about the severity of the bug:
The impact of the this vulnerability was quite critical as it could have allowed a full account takeover. Many developers have integrated Sign in with Apple since it is mandatory for applications that support other social logins. To name a few that use Sign in with Apple - Dropbox, Spotify, Airbnb, Giphy (now acquired by Facebook).
According to Jain, Apple conducted an investigation and concluded that no accounts were compromised using this method before the vulnerability was patched. Jain was paid $100,000 by Apple under its Apple Security Bounty Program for reporting the bug.
Popular Stories
An iPhone 17 announcement is a dead cert for September 2025 – Apple has already sent out invites for an "Awe dropping" event on Tuesday, September 9 at the Apple Park campus in Cupertino, California. The timing follows Apple's trend of introducing new iPhone models annually in the fall.
At the event, Apple is expected to unveil its new-generation iPhone 17, an all-new ultra-thin iPhone 17...
Apple today announced its "Awe Dropping" iPhone-centric event, which is set to take place on Tuesday, September 9 at 10:00 a.m. Pacific Time. There are a long list of products that are coming, but we thought we'd pull out five feature highlights to look forward to.
That Super Thin iPhone - Apple's September 9 event will see the unveiling of the first redesigned iPhone we've had in years, ...
Apple's logo for its upcoming September 9 event hints at two rumored iPhone 17 Pro features, including new color options and a vapor chamber cooling system.
Of course, this is all just speculation for fun, as we count down the final days until the event.
New Colors
Last month, Macworld's Filipe Espósito reported that orange and dark blue would be two out of the five color options...
Apple will offer the upcoming iPhone 17 Pro and iPhone 17 Pro Max in a new orange color, according to Bloomberg's Mark Gurman.
Gurman made the claim in the latest edition of his Power On newsletter, adding that the new iPhone 17 Air – replacing the iPhone 16 Plus – will come in a new light blue color.
We've heard multiple rumors about a new iPhone 17 Pro color being a shade of orange. The ...
Apple's cases for the iPhone 17 lineup will be accompanied by a new Crossbody Strap accessory with a unique magnetic design, according to the leaker known as "Majin Bu."
Apple's Crossbody Strap reportedly features an unusual magnetic design; it likely has a "flexible metal core" that makes it magnetic along its entire length. At the ends, "rings polarized oppositely to the strap close the...
Apple hasn't updated the AirPods Pro since 2022 other than a shift from Lightning to USB-C, and the earbuds are due for a refresh. According to Bloomberg's Mark Gurman, Apple will launch AirPods Pro 3 later this year, and apart from new features like heart rate monitoring, we're also expecting a few design changes.
The fourth‑generation AirPods offer useful clues to Apple's design cues for ...
