Apple has reportedly paid $100,000 (round Rs 75 lakh) to an Indian developer for locating a essential bug within the ‘Sign up with Apple’ course of. Bhavuk Jain, a 27-year-old developer found a “Zero Day” bug within the ‘Sign up with Apple’ course of that would have allowed hackers to take over person’s account on the third-party utility.
“What if I say, your E mail ID is all I have to take over your account in your favorite web site or an app. Sounds scary, proper? That is what a bug in ‘Sign up with Apple’ allowed me to do.” Jain mentioned in a weblog put up.
“Within the month of April, I discovered a zero-day in ‘Sign up with Apple’ that affected third-party purposes which had been utilizing it and didn’t implement their very own further safety measures. This bug may have resulted in a full account takeover of person accounts on that third celebration utility regardless of a sufferer having a legitimate Apple ID or not,” he added.
‘Sign up with Apple’ was launched in June final 12 months. It permits customers to arrange a person account to check in to 3rd celebration apps with their Apple ID with out having to make use of their e-mail handle. That is accomplished by producing a JSON Net Token or JWT, which comprises the knowledge required by the third-party utility to substantiate the id of the person whereas preserving person privateness. Nevertheless, the Zero Day bug uncovered the person accounts to assaults.
Jain defined in his weblog put up that there was no validation to test if the identical person who generated the JWT is requesting the JWT to login to the third-party account. Hackers may have exploited the vulnerability by faking a JWT. Since loads of builders have built-in ‘Sign up with Apple’, this vulnerability may have proved fairly essential.
In his weblog put up, Jain additionally mentioned that he was paid 100,000 by Apple underneath their Apple Safety bounty program for locating this vulnerability. The difficulty has been resolved. Jain added that Apple did an investigation of their logs to find out there was no misuse or account compromised because of this vulnerability.