Now Patched 'Sign in With Apple' Bug Left Users Open to Attack
Researcher Bhavuk Jain in April discovered a critical Sign in With Apple vulnerability that could have resulted in a takeover of some user accounts. The bug was specific to third party apps that used Sign in With Apple and didn't implement additional security measures.
Jain notes that Sign in With Apple works by authenticating a user through a JWT (JSON Web Token) or a code that's generated by Apple's server. Apple then gives users the option to share either the email tied to their Apple ID or a private relay email address,which creates a JWT that's used to log in a user.
Jain then discovered that once JWTs for both Apple ID emails and private relay email addresses were requested and the token's signature was verified using Apple's public key, it "showed as valid." Should the bug have not been discovered, a JWT could be created and used to gain access to one's account.
In an interview with The Hacker News, Jain spoke about the severity of the bug:
The impact of the this vulnerability was quite critical as it could have allowed a full account takeover. Many developers have integrated Sign in with Apple since it is mandatory for applications that support other social logins. To name a few that use Sign in with Apple - Dropbox, Spotify, Airbnb, Giphy (now acquired by Facebook).
According to Jain, Apple conducted an investigation and concluded that no accounts were compromised using this method before the vulnerability was patched. Jain was paid $100,000 by Apple under its Apple Security Bounty Program for reporting the bug.
Popular Stories
Google recently made waves by showcasing a set of lightweight smart glasses featuring deep Gemini integration and an optional in-lens display. The demo has reignited interest in Apple's own smart glasses project, which has been the subject of rumors for nearly a decade. Here's a recap of where things stand.
Current Development Status
Apple is actively working on new chips specifically...
Apple is expected to launch an all-new ultra-thin iPhone 17 Air later this year, and while there have been plenty of rumors about the camera's overall design and thinness, we haven't heard any details about the device's weight and battery capacity until now.
According to the leaker going by the account name "yeux1122" on the Korean-langauge Naver blog, the 6.6-inch iPhone 17 Air has a weight ...
Apple's recently announced CarPlay Ultra promises a deeply integrated in-car experience, but not all iPhone users will be able to take advantage of the new feature.
According to Apple's press release, CarPlay Ultra requires an iPhone 12 or later running iOS 18.5 or later. This means if you're using an iPhone 11, iPhone XR, or any older model, you'll need to upgrade your device to access...
Apple today announced a more detailed schedule for its annual developers conference WWDC, which runs from June 9 through June 13. The schedule confirms that Apple's keynote will begin on Monday, June 9 at 10 a.m. Pacific Time, with a live stream to be available on Apple.com, in the Apple TV app, and on YouTube.
During the keynote, Apple is expected to announce iOS 19, iPadOS 19, macOS 16,...
Apple is planning to launch a set of smart glasses by the end of 2026, reports Bloomberg. The glasses will be comparable to the Meta Ray-Bans and the Android XR glasses that Google showed off earlier this week.
Apple's smart glasses are expected to include cameras, microphones, and AI capabilities, much like the Meta Ray-Bans. The glasses will be able to take photos, record video, provide...
The Worldwide Developers Conference (WWDC), Apple's annual developer and software-oriented event, is less than three weeks away. We haven't heard a great deal about macOS 16 ahead of its announcement this year, so we could be in for some major surprises when June 9 rolls around. Here's what we know so far about the next major update to Apple's Mac operating system.
macOS 16 Name?
Every year ...
OpenAI is acquiring io, the hardware-based AI startup co-created by Jony Ive, OpenAI announced today. Ive has been working with OpenAI CEO Sam Altman on io for two years, and the duo expects to develop a family of AI devices.
In a video shared by OpenAI, Altman and Ive outlined their partnership and what they expect to create as a result of the merger. "I have a growing sense that everything ...
Apple today announced that its next-generation CarPlay experience, now dubbed "CarPlay Ultra" begins rolling out today, starting with Aston Martin vehicles.
Subscribe to the MacRumors YouTube channel for more videos.
CarPlay Ultra is now available with new Aston Martin vehicle orders in the U.S. and Canada. It will also be available for existing models that feature the brand's next-generation ...
