Now Patched 'Sign in With Apple' Bug Left Users Open to Attack

Researcher Bhavuk Jain in April discovered a critical Sign in With Apple vulnerability that could have resulted in a takeover of some user accounts. The bug was specific to third party apps that used Sign in With Apple and didn't implement additional security measures.

SigninwithApple e1590865553423
Jain notes that Sign in With Apple works by authenticating a user through a JWT (JSON Web Token) or a code that's generated by Apple's server. Apple then gives users the option to share either the email tied to their Apple ID or a private relay email address,which creates a JWT that's used to log in a user.

Jain then discovered that once JWTs for both Apple ID emails and private relay email addresses were requested and the token's signature was verified using Apple's public key, it "showed as valid." Should the bug have not been discovered, a JWT could be created and used to gain access to one's account.

In an interview with The Hacker News, Jain spoke about the severity of the bug:

The impact of the this vulnerability was quite critical as it could have allowed a full account takeover. Many developers have integrated Sign in with Apple since it is mandatory for applications that support other social logins. To name a few that use Sign in with Apple - Dropbox, Spotify, Airbnb, Giphy (now acquired by Facebook).

According to Jain, Apple conducted an investigation and concluded that no accounts were compromised using this method before the vulnerability was patched. Jain was paid $100,000 by Apple under its Apple Security Bounty Program for reporting the bug.

Top Rated Comments

SBlue1 Avatar
17 months ago
100,000? Well deserved. :)
Score: 13 Votes (Like | Disagree)
B4U Avatar
17 months ago
Are we getting numb with the constant SW issues that Apple is having lately?
Score: 11 Votes (Like | Disagree)
Peace Avatar
17 months ago
I’m getting burned out on timmys security problems .

windows is looking better
Score: 10 Votes (Like | Disagree)
I7guy Avatar
17 months ago

I’m getting burned out on timmys security problems .

windows is looking better
Windows is better? Sure windows is as tight as a drum as far as that goes.

Just keep patching them Timmy.
Score: 7 Votes (Like | Disagree)
cmaier Avatar
17 months ago

I don't care.

I'm done updating.

I'm sick and tired of my phone being artificially slowed.

I'm back to using Linux for things that need to be secure, like banking, etc.
You know this wasn’t a bug in the client software or operating system, right?
Score: 5 Votes (Like | Disagree)
konqerror Avatar
17 months ago

If it was unexploited and has been patched, there's not much of a story here… except to other businesses that might consider Sign In With Apple.
Bugs are a symptom, not the flaw. The constant stream of problems coming out from Apple shows their software development and QA processes are severely flawed.
Score: 5 Votes (Like | Disagree)

Top Stories

m1x mac mini screen feature

High-End 'M1X' Mac Mini With New Design and Additional Ports Expected to Launch in the 'Next Several Months'

Sunday August 22, 2021 5:59 am PDT by
Apple can be expected to launch an updated high-end Mac mini with a new design and a faster "M1X" Apple silicon processor in the "next several months," Bloomberg's Mark Gurman reports. In the latest publication of his Power On newsletter, Gurman writes that a new high-end Mac mini, which has previously been reported to feature a new design with additional ports, can be expected to replace...
mac scanner permission error

Apple Says Fix Planned for 'You Do Not Have Permission to Open the Application' Error When Using a Scanner on Mac

Saturday August 14, 2021 6:15 am PDT by
In a newly published support document on its website, Apple has acknowledged an error that some users may receive when they try to use a scanner with a Mac in the Image Capture app, Preview app, or the Printers & Scanners section of System Preferences. A screenshot of the error message from the HP Support Community When attempting to use a scanner with a Mac, Apple said users might get an...
iCloud General Feature

iCloud+'s New Custom Email Domain Feature Now Available in Beta

Wednesday August 25, 2021 7:48 am PDT by
Starting with iOS 15, iPadOS 15, and macOS Monterey, users with a paid iCloud+ storage plan can personalize their iCloud email address with a custom domain name, such as johnny@appleseed.com, and the feature is now available in beta. iCloud+ subscribers interested in setting up a custom email domain can visit the beta.icloud.com website, select "Account Settings" under their name, and select ...
original iphone

Phil Schiller Says iPhone Was 'Earth-Shattering' Ten Years Ago and Remains 'Unmatched' Today

Monday January 9, 2017 7:15 am PST by
To commemorate the tenth anniversary of the iPhone, Apple marketing chief Phil Schiller sat down with tech journalist Steven Levy for a wide-ranging interview about the smartphone's past, present, and future. The report first reflects upon the iPhone's lack of support for third-party apps in its first year. The argument inside Apple was split between whether the iPhone should be a closed...
macbookpro13large

macOS Big Sur Update Bricking Some Older MacBook Pro Models

Sunday November 15, 2020 5:33 am PST by
A large number of late 2013 and mid 2014 13-inch MacBook Pro owners are reporting that the macOS Big Sur update is bricking their machines. A MacRumors forum thread contains a significant number of users reporting the issue, and similar problems are being reported across Reddit and the Apple Support Communities, suggesting the problem is widespread. Users are reporting that during the...
m1 imac orange

New iMac Tidbits: Headphone Jack on Side, Ethernet Port on Power Adapter, Spatial Audio and WiFi 6 Support, No SD Card Slot

Wednesday April 21, 2021 6:38 am PDT by
Apple yesterday announced a completely redesigned 24-inch iMac with the M1 Apple silicon chip. The new iMac, the first major redesign of the Mac desktop computer since 2012, has several changes compared to the previous generation. In the aftermath of the event, a few new features and tidbits may have slipped under the radar, so we’ve compiled this list of some of the less-talked-about...
General YouTube Feature 1

YouTube Premium and Music Surpass 50 Million Subscribers

Friday September 3, 2021 2:19 am PDT by
YouTube says it has passed 50 million subscribers for its Premium and Music subscriptions, making it the "fastest growing music subscription" service in the world, according to YouTube's global head of music, Lyor Cohen. YouTube says that it has more than 50 million paying subscribers collectively across YouTube Premium and YouTube Music. The Google-owned service says it attributes this...
Top Stories 75 Thumbnail

Top Stories: Last-Minute iPhone 13 Rumors, Apple Announces App Store Changes, and More

Saturday September 4, 2021 6:00 am PDT by
The finish line is in sight! Apple's annual iPhone event is likely just a week or so away and all eyes will be on the company as it unveils the next version of its most popular product line. With any luck, we'll also see the next-generation Apple Watch and perhaps even some new AirPods. Other news this week saw Apple making some more changes to its App Store policies in response to a...
omg lightning cable comparison

Security Researcher Develops Lightning Cable With Hidden Chip to Steal Passwords

Thursday September 2, 2021 6:59 am PDT by
A normal-looking Lightning cable that can used to steal data like passwords and send it to a hacker has been developed, Vice reports. The "OMG Cable" compared to Apple's Lightning to USB cable. The "OMG Cable" works exactly like a normal Lightning to USB cable and can log keystrokes from connected Mac keyboards, iPads, and iPhones, and then send this data to a bad actor who could be over a...
studio buds family

Beats Studio Buds Debuting Today With Active Noise Cancellation, Stemless Design, and More for $150

Monday June 14, 2021 8:00 am PDT by
We've seen a lot of teasers about the Beats Studio Buds over the past month since they first showed up in Apple's beta software updates, and today they're finally official. The Beats Studio Buds are available to order today in red, white, and black ahead of a June 24 ship date, and they're priced at $149.99. The Studio Buds are the first Beats-branded earbuds to truly compete with AirPods...