Now Patched 'Sign in With Apple' Bug Left Users Open to Attack
Researcher Bhavuk Jain in April discovered a critical Sign in With Apple vulnerability that could have resulted in a takeover of some user accounts. The bug was specific to third party apps that used Sign in With Apple and didn't implement additional security measures.
Jain notes that Sign in With Apple works by authenticating a user through a JWT (JSON Web Token) or a code that's generated by Apple's server. Apple then gives users the option to share either the email tied to their Apple ID or a private relay email address,which creates a JWT that's used to log in a user.
Jain then discovered that once JWTs for both Apple ID emails and private relay email addresses were requested and the token's signature was verified using Apple's public key, it "showed as valid." Should the bug have not been discovered, a JWT could be created and used to gain access to one's account.
In an interview with The Hacker News, Jain spoke about the severity of the bug:
The impact of the this vulnerability was quite critical as it could have allowed a full account takeover. Many developers have integrated Sign in with Apple since it is mandatory for applications that support other social logins. To name a few that use Sign in with Apple - Dropbox, Spotify, Airbnb, Giphy (now acquired by Facebook).
According to Jain, Apple conducted an investigation and concluded that no accounts were compromised using this method before the vulnerability was patched. Jain was paid $100,000 by Apple under its Apple Security Bounty Program for reporting the bug.
Popular Stories
Last year, Apple launched CarPlay Ultra, the long-awaited next-generation version of its CarPlay software system for vehicles. Nearly a year later, CarPlay Ultra is still limited to Aston Martin's latest luxury vehicles, but that should change fairly soon.
In May 2025, Apple said many other vehicle brands planned to offer CarPlay Ultra, including Hyundai, Kia, and Genesis.
CarPlay Ultra...
As we wait for WWDC to kick off next Monday, Apple today announced the winners of its annual Apple Design Awards, recognizing apps and games for their innovation, ingenuity, and technical achievement.
The 2025 Apple Design Award winners are listed below, with one app and one game selected per category:
Delight and Fun - CapWords (App) and Balatro (Game)
Innovation - Play (App) and PBJ -...
While the AirPods Max 2 received more attention, Apple also released a second pair of headphones last month: Nike Powerbeats Pro 2.
Nike Powerbeats Pro 2 are the same as the regular Powerbeats Pro 2, except they have a two-tone design consisting of black and Nike's signature Volt neon green-yellow color. The headphones were released on March 20 in the U.S., Canada, Australia, the U.K., and a ...
Popular Stories
macOS Tahoe 26.4 introduces a new security feature that warns Mac users if they paste certain commands in the Terminal app that may be harmful.
For those unaware, the Terminal app allows you to enter text commands to perform tasks on your Mac. Terminal is primarily intended for advanced users and developers, but unfortunately casual users can be tricked into entering harmful commands that...
Apple has begun pushing Lock Screen notifications to iPhones and iPads running older versions of iOS and iPadOS, warning users of active web-based attacks.
The alerts, which appear as a "Critical Software" notification from the Settings app, warn that Apple "is aware of attacks targeting out-of-date iOS software, including the version on your iPhone," and urge users to install a critical...
Apple says it has no record of a successful spyware attack against any device running Lockdown Mode, the opt-in security feature it introduced in 2022.
"We are not aware of any successful mercenary spyware attacks against a Lockdown Mode-enabled Apple device," an Apple spokesperson told TechCrunch.
Lockdown Mode is available on the iPhone, iPad, and Mac, and dramatically restricts...
