Now Patched 'Sign in With Apple' Bug Left Users Open to Attack
Researcher Bhavuk Jain in April discovered a critical Sign in With Apple vulnerability that could have resulted in a takeover of some user accounts. The bug was specific to third party apps that used Sign in With Apple and didn't implement additional security measures.
Jain notes that Sign in With Apple works by authenticating a user through a JWT (JSON Web Token) or a code that's generated by Apple's server. Apple then gives users the option to share either the email tied to their Apple ID or a private relay email address,which creates a JWT that's used to log in a user.
Jain then discovered that once JWTs for both Apple ID emails and private relay email addresses were requested and the token's signature was verified using Apple's public key, it "showed as valid." Should the bug have not been discovered, a JWT could be created and used to gain access to one's account.
In an interview with The Hacker News, Jain spoke about the severity of the bug:
The impact of the this vulnerability was quite critical as it could have allowed a full account takeover. Many developers have integrated Sign in with Apple since it is mandatory for applications that support other social logins. To name a few that use Sign in with Apple - Dropbox, Spotify, Airbnb, Giphy (now acquired by Facebook).
According to Jain, Apple conducted an investigation and concluded that no accounts were compromised using this method before the vulnerability was patched. Jain was paid $100,000 by Apple under its Apple Security Bounty Program for reporting the bug.
Popular Stories
Apple today announced that it has updated the 24-inch iMac with the M4 chip, which debuted in the iPad Pro earlier this year. This upgrade comes around one year after the previous iMac with the M3 chip was released.
Subscribe to MacRumors on YouTube for more videos!
As expected, the M4 chip in the iMac is available with up to a 10-core CPU and up to a 10-core GPU. Apple says the iMac with the ...
Apple's marketing chief Greg Joswiak today teased that the company has an "exciting week of announcements" planned next week. Joswiak said to "Mac" your calendars, and the post includes an animated icon for the Finder app on the Mac, so it is clear that at least some of next week's announcements will be related to the Mac.
Subscribe to MacRumors on YouTube for more videos!
Below, we have...
In select U.S. states, residents can add their driver's license or state ID to the Wallet app on the iPhone and Apple Watch, providing a convenient and contactless way to display proof of identity or age at select airports and businesses, and in select apps.
Below, we outline which U.S. states offer the feature, and additional states that have committed to rolling it out in the feature in...
Apple today released iOS 18.1 and iPadOS 18.1, the first major updates to the iOS 18 and iPadOS 18 updates that came out in September. iOS 18.1 and iPadOS 18.1 come six weeks after the release of iOS 18 and iPadOS 18.
Subscribe to the MacRumors YouTube channel for more videos.
The new software can be downloaded on eligible iPhones and iPads over-the-air by going to Settings > General >...
Apple's Greg Joswiak today made it clear that Apple plans to reveal new products next week, teasing refreshed Macs. In a social media post, Joswiak said to "Mac your calendars" because there's an exciting week of announcements that start on Monday morning.
With Joswiak's announcement, it appears that there will not be a dedicated October event for Macs this year, with Apple instead...
Alongside the new iMac, Apple announced updated versions of the Magic Mouse, Magic Keyboard, and Magic Trackpad. The accessories are now equipped with USB-C charging ports, whereas the previous models used Lightning. Apple includes the Magic Mouse and Magic Keyboard in the box with the iMac, and the Magic Trackpad is an optional upgrade.
"Every iMac comes with a color-matched Magic Keyboard...
Apple suppliers will begin mass production of the fourth-generation iPhone SE in December, supply chain analyst Ming-Chi Kuo said today in a blog post.
The fourth-generation iPhone SE is expected to have a similar design as the base iPhone 14, with rumored features including a 6.1-inch OLED display, Face ID, a newer A-series chip, a USB-C port, a single 48-megapixel rear camera, 8GB of RAM...
Apple introduced a new iMac today with the M4 chip and more, but that's not all, as it still has two more Mac announcements planned this week.
"This is a huge week for the Mac, and this morning, we begin a series of three exciting new product announcements that will take place over the coming days," said Apple's hardware engineering chief John Ternus, in a video announcing the new iMac....
