Advertisement

Researcher claims $100,000 for ‘Sign in with Apple’ hack

It highlights the big payouts Apple has been offering through a bug bounty program it expanded last year.
apple sign in
The research comes a year after Apple unveiled the "Sign in with Apple" feature, which authenticates users on apps without disclosing their Apple IDs. (Pexels)

The same login feature that Apple introduced last year to protect privacy could have been abused to hack into third-party applications on an iPhone, a security researcher has found.

The discovery earned New Delhi-based programmer Bhavuk Jain $100,000, he said, highlighting the critical nature of the flaw and the big payouts Apple has been offering through a bug bounty program it expanded last year.

Jain figured out how to generate a login token for an Apple ID and use it to access third-party apps with lax security. Manipulating the tokens at their source was all Jain needed to access the apps.

The research comes a year after Apple unveiled the “Sign in with Apple” feature, which authenticates users on apps without disclosing their Apple IDs. Apple has touted it as a more privacy-conscious alternative to requiring users to log in to apps through their social media accounts.

Advertisement

Jain did not detail the types of apps he could’ve accessed, but the sign-in feature is increasingly popular with app developers, he said. “A lot of developers have integrated ‘Sign in with Apple’ since it is mandatory for applications that support other social logins,” Jain wrote in a blog discussing his findings. Apple didn’t find any evidence of real-world hacks that had exploited the vulnerability, he said.

It’s the kind of critical bug that Apple will pay big money to researchers to track down. Last month, another security researcher revealed a hack of an iPhone camera and microphone that bagged him $75,000.

An Apple official confirmed that the company had paid Jain $100,000 for the bug and fixed the issue.

In addition to the authentication tokens that support it, an Apple ID itself can be valuable information for an attacker. A Google researcher in January detailed how, armed only with a target’s Apple ID, he could remotely compromise an iPhone to steal text messages and other data.

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts