MANILA, Philippines – Apple paid Indian security researcher Bhavuk Jain $100,000 for reporting a bug he found back in April with the company's "Sign in with Apple" feature which would have allowed a remote attacker to take over another person's account by bypassing the authentication.
The Sign in with Apple feature allows users to sign up an account on third party apps without needing to disclose their Apple IDs, which come in the form of their email addresses.
Speaking with The Hacker News, Jain explained how the vulnerability stems from the way Apple validated a user on the client-side before beginning a request from Apple's authentication servers. According to Jain, the server creates a JSON Web Token (JWT) which holds information the third-party app uses to confirm a user trying to sign in.
Jain explained in his May 30 blog post he "could request JWTs for any Email ID from Apple and when the signature of these tokens was verified using Apple’s public key, they showed as valid. This means an attacker could forge a JWT by linking any Email ID to it and gaining access to the victim’s account."
According to Jain, this was a critical vulnerability, as it allowed a full account takeover.
Because he reported the bug, Apple was able to fix it quickly, and the company told Jain they investigated their logs and found "no misuse or account compromise due to this vulnerability." – Rappler.com