Jump to content
Sign up to our newsletters
Independent
US election
More
Best
Climate
TV

Thank you for registering

Please refresh the page or navigate to another page on the site to be automatically logged inPlease refresh your browser to be logged in

The Independent's journalism is supported by our readers. When you purchase through links on our site, we may earn commission. 

Apple fixes sign-in bug that would have let anyone log into your apps

The bug affected 'Sign in with Apple', a way for iOS users to log into apps that avoided competing, popular services from Facebook and Google 

Adam Smith
Tuesday 02 June 2020 16:05 BST
Comments
Apple says the new iPhone SE features the most advanced single-camera system it has ever made
Apple says the new iPhone SE features the most advanced single-camera system it has ever made (The Independent)

Your support helps us to tell the story

Support Now

From reproductive rights to climate change to Big Tech, The Independent is on the ground when the story is developing. Whether it's investigating the financials of Elon Musk's pro-Trump PAC or producing our latest documentary, 'The A Word', which shines a light on the American women fighting for reproductive rights, we know how important it is to parse out the facts from the messaging.

At such a critical moment in US history, we need reporters on the ground. Your donation allows us to keep sending journalists to speak to both sides of the story.

The Independent is trusted by Americans across the entire political spectrum. And unlike many other quality news outlets, we choose not to lock Americans out of our reporting and analysis with paywalls. We believe quality journalism should be available to everyone, paid for by those who can afford it.

Your support makes all the difference.

Apple has fixed a sign-in bug that could have allowed malicious individuals to take control of a user’s account, paying $100,000 to the person who found it.

The flaw relates to the “Sign in with Apple” feature, which the company introduced in 2019 as a privacy-focused alternative to the sign-in options from Facebook or Google, yet one that is easier than using an email login.

At the end of May, however, developer Bhavuk Jain disclosed a software vulnerability which meant that hackers could have achieved a “full account takeover of user accounts on that third party application irrespective of a victim having a valid Apple ID or not.”

The issue was caused by code generated from Apple’s servers that was used to log in based on a user’s Apple ID email, but it was found that code could be generated for any email identification and Apple would verify the login.

“Sign in with Apple” works by using a JWT (JSON Web Token) or a code from the Apple server. The request is made to the server, a JWT is sent to the user, which then logs into the third party application via Apple’s servers again. All of this is done almost instantly.

However, Jain found that the JWT request was not secure. “I could request JWTs for any Email ID from Apple and when the signature of these tokens was verified using Apple’s public key, they showed as valid. This means an attacker could forge a JWT by linking any Email ID to it and gaining access to the victim’s account,” Jain wrote.

After disclosing the bug, Jain received $100,000 as part of Apple’s bug bounty program. Apple says that it had checked its server logs and found no evidence that the exploit was used to take control of any accounts.

This is not the only patch Apple had to make to its iOS 13.5 update. It also patched a jailbreak exploit before the launch of its new operating system that has reportedly been circulating on the internet since at least February.

Join our commenting forum

Join thought-provoking conversations, follow other Independent readers and see their replies

Comments

Thank you for registering

Please refresh the page or navigate to another page on the site to be automatically logged inPlease refresh your browser to be logged in