HomeTakeoverAccount TakeoverHuge Bounty for Zero-day Vulnerability Found in Sign in with APPLE Feature

Huge Bounty for Zero-day Vulnerability Found in Sign in with APPLE Feature

What is Zero Day Vulnerability ?

Zero-day vulnerability is a security flaw in software that is unknown to the vendor. Attackers can exploit this vulnerability to launch cyber attacks, such as data theft or system damage.

How it looks like?

Imagine you have a secret diary with a lock that only you know the combination to. You feel confident that your secrets are safe and protected from anyone else. However, one day you discover that someone has found a way to unlock your diary without knowing the combination, and they’ve been reading all of your private thoughts and feelings.

This is similar to what happens with zero-day vulnerabilities. Software companies create programs with various security measures in place to prevent unauthorized access or attacks. However, sometimes cyber attackers find a way to exploit a vulnerability in the software that the company didn’t know existed – a “zero-day” flaw – and use it to access sensitive information or cause damage to a system.


What is Broken Access Control ?

Broken access control is a type of vulnerability where an attacker can access sensitive information or functionality without proper authorization. This can occur due to misconfigured access controls or insufficient user authentication mechanisms.


The Story

A vulnerability in the Sign in with Apple feature has been discovered in April 2020. This vulnerability could have allowed a full account takeover for users of third-party applications. This vulnerability was found by cybersecurity researcher Bhavuk Jain. The vulnerability would have affected third-party apps that used Sign in with Apple. But the third-party application failed to implement additional security measures. Thus, Jain was awarded $100,000 bounty by Apple through its security bounty program for reporting the issue.

The Sign in with Apple system works similarly to OAuth 2.0 and uses either a JSON Web Token (JWT) or a code generated by the Apple server to authenticate a user.

Depending on a user’s privacy preference, the JWT will contain either the user’s Apple email ID or a relay email ID generated by Apple.

Jain discovered that he could request JWTs for any email ID. So, when Jain verified signature of these JWTs with Apple’s public key, they appeared to be valid

This would have allowed an attacker to forge a JWT with any email ID and gain access to the victim’s account.

Apple investigated its logs and found no evidence of misuse or account compromise as a result of the vulnerability. The company confirmed the issue has been fixed.

The impact of the vulnerability could have been significant. As many developers have integrated Sign in with Apple, making it mandatory for apps that support social logins.

Some of the popular apps that use Sign in with Apple include Dropbox, Spotify, Airbnb, and Giphy (now owned by Facebook).

Although these apps were not tested for the vulnerability. But it could have been at risk of full account takeover without additional security measures in place.

In conclusion, Bhavuk Jain praised the Apple security team for their quick response to the issue and for their efforts to maintain the security of their users’ accounts.


How to Prevent Broken Access Control Vulnerbility?

Here are the steps to prevent Broken Access Control Vulnerabilities:

  1. Develop a secure access control policy: Define roles and permissions that align with business requirements, limit the access granted to the users and groups, and define what data or resources each role can access.
  2. Implement proper authentication and authorization mechanisms: Use strong password policies, two-factor authentication, and session management techniques to prevent unauthorized access. Implement authentication and authorization mechanisms that are appropriate for the level of risk involved.
  3. Enforce data validation and input sanitization: Ensure that all user input is validated and sanitized before being processed by the application. This prevents malicious users from injecting code or commands that could be used to exploit the application.
  4. Limit direct object references: Do not expose internal object references directly to users. Use an indirect reference map to ensure that users can only access authorized resources.
  5. Monitor access logs and audit trails: Regularly monitor access logs and audit trails to detect suspicious activity, unauthorized access attempts, and other security-related events.

By following these steps, developers can significantly reduce the risk of Broken Access Control vulnerabilities in their applications, which helps protect sensitive information from unauthorized access.



Link to write up: here

Save the PDF here

A cybersecurity practitioner with more than 5 years of experience in the cybersecurity world. Has an interest in creating simple blog websites, learning about SEO and graphic design, writing, AI, and understanding the concepts of journalism. Intentionally created this website to make the world of cybersecurity more engaging by combining it with journalistic principles and presenting cybersecurity stories that are easy to understand, which can help anyone who wants to develop in the cybersecurity world.



Please enter your comment!
Please enter your name here

3 × 4 =

Most Popular


- Advertisement -