Bug in Apple ID login made account takeover possible
There was a bug in Apple’s third-party application login service, which theoretically allowed attackers to take over an account. “Sign in with Apple” is a sign-in service that allows users to sign in to third-party apps with their Apple ID.
The programming flaw was discovered by Bhavuk Jain, who detailed it on his blog. It is a zero day that he discovered in April, and where the bug has since been fixed by Apple. As a result of the report, Jain was awarded $100,000 as part of Apple’s “bug bounty” program.
According to Jain, the flaw was in the way a token is generated to authenticate an Apple ID. The security researcher discovered that he could create a token for any email address that was then validated by Apple’s public key. That way, malicious parties could gain access to the Apple account associated with the email address.
Apple is said to have investigated the impact of the bug, according to Jain, but no cases have been discovered where it has been actively exploited. As a result, it appears that no accounts have been stolen or taken over.