Guides
How to Change App Icons in iOS 14

Customize your home screen and include custom icons for your favorite apps.

iOS 14 Home Screen Setup

iOS 14 Home Screen allows you to customize it more than ever.

Apple Watch Series SE vs 6

What are the differences between the Apple Watch Series 6 vs SE?

Apple Watch Series 5 vs 6

What are the differences between the Apple Watch Series 6 vs Series 5?

iOS 14: How to Use Picture in Picture Mode
iOS 14: Picture in Picture with Youtube
iOS 14: How to Use Widgets
iOS 14 Orange and Green Dots
Should you buy a Mac now or wait for Arm Macs?
AppleCare: Should you Get It?
iOS 14: How to Use the App Library
See more guides
Upcoming
Apple Watch 6
Just Released!

Blood oxygen monitor, new colors, S6 chip, and more.

iPad
Just Released!

Faster than ever with A12 Bionic chip and Neural Engine

iPad Air
October 2020

All-new design with A14 chip, new colors, Touch ID power button, and more.

iPhone 12
October 2020

Four new phones in three sizes expected with 5G and new AR capabilities.

AirTags
macOS 11 Big Sur
iMac
AirPods Studio
Apple Glasses
Foldable iPhone
See full product calendar

Now Patched 'Sign in With Apple' Bug Left Users Open to Attack

by

Researcher Bhavuk Jain in April discovered a critical Sign in With Apple vulnerability that could have resulted in a takeover of some user accounts. The bug was specific to third party apps that used Sign in With Apple and didn't implement additional security measures.


Jain notes that Sign in With Apple works by authenticating a user through a JWT (JSON Web Token) or a code that's generated by Apple's server. Apple then gives users the option to share either the email tied to their Apple ID or a private relay email address,which creates a JWT that's used to log in a user.

Jain then discovered that once JWTs for both Apple ID emails and private relay email addresses were requested and the token's signature was verified using Apple's public key, it "showed as valid." Should the bug have not been discovered, a JWT could be created and used to gain access to one's account.

In an interview with The Hacker News, Jain spoke about the severity of the bug:

The impact of the this vulnerability was quite critical as it could have allowed a full account takeover. Many developers have integrated Sign in with Apple since it is mandatory for applications that support other social logins. To name a few that use Sign in with Apple - Dropbox, Spotify, Airbnb, Giphy (now acquired by Facebook).

According to Jain, Apple conducted an investigation and concluded that no accounts were compromised using this method before the vulnerability was patched. Jain was paid $100,000 by Apple under its Apple Security Bounty Program for reporting the bug.

Tags: Apple security, Sign in with Apple Guide

Top Rated Comments

(View all)
Avatar
SBlue1
16 weeks ago
100,000? Well deserved. :)
Score: 13 Votes (Like | Disagree)
Avatar
B4U
16 weeks ago
Are we getting numb with the constant SW issues that Apple is having lately?
Score: 11 Votes (Like | Disagree)
Avatar
Peace
16 weeks ago
I’m getting burned out on timmys security problems .

windows is looking better
Score: 10 Votes (Like | Disagree)
Avatar
I7guy
16 weeks ago


I’m getting burned out on timmys security problems .

windows is looking better

Windows is better? Sure windows is as tight as a drum as far as that goes.

Just keep patching them Timmy.
Score: 7 Votes (Like | Disagree)
Avatar
cmaier
16 weeks ago


I don't care.

I'm done updating.

I'm sick and tired of my phone being artificially slowed.

I'm back to using Linux for things that need to be secure, like banking, etc.

You know this wasn’t a bug in the client software or operating system, right?
Score: 5 Votes (Like | Disagree)
Avatar
konqerror
16 weeks ago


If it was unexploited and has been patched, there's not much of a story here… except to other businesses that might consider Sign In With Apple.

Bugs are a symptom, not the flaw. The constant stream of problems coming out from Apple shows their software development and QA processes are severely flawed.
Score: 5 Votes (Like | Disagree)
Read All Comments

Top Stories

iOS 14 Widgets Offer iPhone Users Creative Home Screen Ideas

Sunday September 20, 2020 8:43 pm PDT by
In iOS 14, Apple introduced ‌the concept of Home Screen‌ widgets, which provide information from apps at a glance. Widgets can be pinned to the Home Screen in various spots and sizes, allowing for many different layouts. Despite the relative lack of 3rd party widgets at launch, iOS users around the...
Read Full Article86 comments

iPhone 12 Lineup Rumored to Be Named 'iPhone 12 mini,' 'iPhone 12,' 'iPhone 12 Pro,' and 'iPhone 12 Pro Max'

Monday September 21, 2020 5:24 am PDT by
Leaker known as "L0vetodream" has today shared the alleged naming for the upcoming iPhone 12 lineup on Twitter. The tweet proposes that the upcoming iPhone 12 models will be titled "iPhone 12 mini," "iPhone 12," "iPhone 12 Pro," and "iPhone 12 Pro Max." The names likely correspond to the three expected sizes of iPhone 12, with the 5.4-inch model being the iPhone 12 mini, the 6.7-inch model ...
Read Full Article240 comments

Hands-On With the New Apple Watch Series 6 and Apple Watch SE

Friday September 18, 2020 1:19 pm PDT by
Today's the official launch date for the Apple Watch Series 6 and the Apple Watch SE, both of which Apple announced on Tuesday. We picked up a couple of the new models and thought we'd give them a quick look for MacRumors readers thinking of ordering a new watch. Apple Watch Series 6 & Apple Watch SE Hands-On! When it comes to design, both the $399 Series 6 and the $279 SE look just like...
Read Full Article154 comments

iOS 14 Picture in Picture No Longer Working With YouTube's Mobile Website in Safari [Without Premium]

Friday September 18, 2020 12:21 pm PDT by
Apple in iOS 14 added Picture in Picture to the iPhone, a feature designed to let you watch a video in a small screen on your device while you continue to do other things on the phone. When Picture in Picture was working with YouTube The YouTube app doesn't support Picture in Picture, but up until yesterday there was a functional workaround that allowed videos from YouTube.com to be watched...
Read Full Article206 comments

When Will the iPhone 12 Launch? Here's What We Know

Wednesday September 16, 2020 6:12 am PDT by
Yesterday's "Time Flies" Apple event saw the release of the Apple Watch Series 6, Apple Watch SE, iPad 8, and iPad Air 4, but no new iPhone models. Rumors before the event strongly alleged that it would not see the unveiling of new iPhones, with many reports pointing to an October launch. The lack of new iPhone models yesterday seems to confirm that the iPhone 12 lineup will not appear...
Read Full Article89 comments

Here's How You Can Download iOS 14 and iPadOS 14 Around the World [It's Out]

Wednesday September 16, 2020 2:36 am PDT by
Apple's official public release of iOS 14 and iPadOS 14 dropped on Wednesday, September 16, just a day after the company released the Golden Master to third-party developers. Also set to be made available to the general public for the first time are watchOS 7 and tvOS 14. Getting Started With iOS 14 Video Click image to watch iOS 14 Getting Started While that's left a lot of developers...
Read Full Article1226 comments

AirPods Studio Rumored to Come With U1 Chip, Ultra-Wideband Said to Be Vital to Future Apple Ecosystem

Sunday September 20, 2020 6:17 am PDT by
Proven leaker known as "L0vetodream" has today shared a range of information about the ultra-wideband U1 chip in Apple's upcoming AirTags item trackers and AirPods Studio headphones. The first of a series of tweets shared today simply stated that AirPods Studio will contain an ultra-wideband U1 chip. It seems likely that the U1 chip would be used in AirPods Studio to track the location of...
Read Full Article99 comments

Kuo: Apple to Accelerate Adoption of Mini-LED Displays in iPad and Mac Notebook Lineups

Sunday September 20, 2020 10:00 pm PDT by
Increased competition among Apple's suppliers for mini-LED display chips will accelerate the company's adoption of the advanced technology in its iPad and MacBook lineups, according to a new research note from analyst Ming-Chi Kuo seen by MacRumors. Kuo says that while Epistar had been predicted to be the exclusive supplier of mini-LED chips for Apple products in 2021, Sanan Optoelectronics...
Read Full Article71 comments

Top Stories: Apple Event Recap, Apple Watch Series 6, Redesigned iPad Air, and More

Saturday September 19, 2020 6:00 am PDT by
This week's news was obviously dominated by Apple's media event and the launch of iOS 14, but there was a lot to digest, so check out our summary below for the high-level view of the past week. With the exception of the massively redesigned iPad Air, all of the new hardware introduced this week is starting to appear on store shelves and on customers' doorsteps, while all of the new software...
Read Full Article18 comments

Apple Updates AirPods 2 and AirPods Pro Firmware to Version 3A283

Monday September 14, 2020 11:24 am PDT by
Apple today released new 3A283 firmware updates for the second-generation AirPods and the AirPods Pro. The second-generation AirPods are being updated from the 2D15 firmware they were previously running, while the AirPods Pros are being updated from the 2D27 firmware they had installed previously. Apple does not provide details on what's included in refreshed firmware so we don't know what's ...
Read Full Article354 comments