Researcher Discloses 'Sign in with Apple' Zero-Day FlawBug Bounty Hunter Reveals Critical Issue Affecting Third-Party Applications
An independent security researcher disclosed a zero-day vulnerability contained in the "Sign in with Apple" feature that, if exploited, could have resulted in a full account takeover.
The Sign in with Apple feature enables users to sign into apps and websites using their Apple ID. The vulnerability has been patched, and Apple says it found no account misuse tied to it, according to the researcher who discovered the zero-day flaw.
The zero-day vulnerability, which affected third-party applications that use "Sign in with Apple" but did not implement their own security measures, was revealed in a blog posted May 30 by Bhavuk Jain. As a reward for the disclosure, Apple paid Jain a $100,000 bug bounty fee.
Sign in with Apple uses two methods to authenticate a user when attempting to sign in to a third-party app - a JSON Web Token, or JWT, or a code generated by Apple to create a JWT, Jain notes.
"I found I could request JWTs for any Email ID from Apple, and when the signature of these tokens was verified using Apple’s public key, they showed as valid,” Jain wrote. “This means an attacker could forge a JWT by linking any Email ID to it and gaining access to the victim’s account."
The bug bounty hunter points out that the potential damage that could have been wrought by exploiting the vulnerability was significant because Sign in with Apple is widely used by app developers.
Dan McInerney, senior researcher with the security firm Coalfire, says exploiting the vulnerability could open the door to a "full account takeover with very little effort. It is extremely dangerous, especially because the malicious actor could easily automate the process to get access to almost every Apple account in existence. It almost rendered all other Apple security irrelevant."
Bug Bounty Benefits
Apple has no qualms about paying large bug bounties. In August 2019, the company posted that it was willing to pay $1 million for a kernel-level vulnerability that requires no interaction on behalf of the victim and persists and upped the bounty amounts for a wide variety of other issues (see: Apple Expands Bug Bounty; Raises Max Reward to $1 Million).
McInerney says the $100,000 bug bounty that Jain earned was reasonable.
"I would not have been surprised to see an even higher amount here, given the intense gravity of the vulnerability,” he says.
But Katie Moussouris, CEO of Luta Security, which focuses on building organizational readiness for vulnerability disclosures, says tech firms have to guard against paying bounties that are too high.
"There's a logical limit above which the defense market cannot rise, or you will end up shanking your own hiring pipeline and creating these perverse incentives," she says.
Bug bounty platform provider HackerOne announced on Thursday it had surpassed the $100 million mark in bounty payouts it has facilitated since its inception in 2013. The average payout is $771, the company reports.
Also on Thursday, Google announced an expanded bug bounty program, dubbed Google Vulnerability Rewards Program, to cover all the critical open-source dependencies of Google Kubernetes Engine - with a $10,000 top payout.