Apple paid 100 thousand dollars. for finding a vulnerability in the Sign in with Apple service
Log in with Apple is a new login method that was meant to protect our privacy. Apple has just paid 100,000 dollars. to the developer who found a hole in it.
Apple in iOS 13 introduced a new method of user authorization in mobile applications. From now on, instead of providing software developers with your data or logging in with services such as Facebook or Google, you can use the Log In with Apple service and protect your privacy .
Although some doubt is raised by the fact that Apple used a stick, not a carrot , to encourage developers, but the new solution boasted even Tim Cook’s biggest competitor . Thanks to it, service providers will never know the user’s email address, which makes it easier to defend against spam.
Unfortunately, it turned out that an error appeared in the Log in with Apple service, which could result in the loss of access to data.
The matter was described by the author of the blog bhavukjain.com . He explained that it was enough to know the Email ID parameter to access the online service using Log in with Apple. The developer detected this zero-day vulnerability as early as April and it affected all sites using this login method that did not implement additional security on their side.
In the blog entry, the developer explains that the vulnerability was related to the user authorization method. It uses either the JSON web token (JSON Web Token, JWT), or codes generated on Apple servers, on the basis of which JWT was created. This works similar to the OAuth 2.0 method, and the way the Cupertino company solution works is explained in the diagram:
What was the error in Sign in with Apple ?
The developer explains that in a situation where the user decides to hide his Apple ID from the service provider, Apple generates an Email ID for the needs of this one application. Then JWT is generated, which contains the Email ID parameter, and online services use it for authorization.
It turned out that in April it was possible to request JWT for any Apple Email ID and verify the token signature using a public key. If someone got to know the Email ID, they could get an artificially generated JSON web token and gain full access to the account.
It’s so good that Apple explains that zero-day has never been used, and the error in the Apple Log In service has already been patched. In addition, the person reporting this zero-day boasted that the company awarded her with a prize of 100,000. dollars. as part of the Apple Security Bounty program.
Apple paid 100 thousand dollars. for finding a vulnerability in the Sign in with Apple service
from WordPress https://ift.tt/3cobUg9
Comments
Post a Comment