Bug in 'Sign in with Apple' would have compromised users data while using third party apps for which Indian developer Bhavuk Jain was rewarded $100,000 by Apple
Guwahati: India’s Bhavuk Jain just grabbed $100,000 (Rs 75 lakh approx) from Apple by discovering a loophole aka a critical bug in the ‘Sign in with Apple’ process.
Apple is usually known for its most secured and privacy-centric methods and has gone to great lengths to give user privacy its utmost security. However, the 27-old-developer discovered a “Zero Day” bug in the setting which would have allowed hackers to take over the user’s account on the third-party application.
In his blog post he said, “What if I say, your Email ID is all I need to takeover your account on your favorite website or an app. Sounds scary, right? This is what a bug in Sign in with Apple allowed me to do.”
Sign in with Apple was introduced with iOS 13, MacOS Catalina, iPadOS 13, tvOS 13 and WatchOS 6. The idea of Apple was to give more privacy options to their users while using any third-party apps and websites. So, instead of the user's own email ID, this feature logs in other apps with the Apple ID.
“In the month of April, I found a zero-day in Sign in with Apple that affected third-party applications which were using it and didn’t implement their own additional security measures,” he added. This bug, irrespective of the user having a valid Apple ID or not, would have resulted in a full account takeover of user accounts on that third party application, he said.
This Zero Day bug would have given a hacker a freeway to break into the victim’s account who log into third-party apps like Spotify, Giphy, Airbnb and Dropbox, and much more.
“For this vulnerability, I was paid $100,000 by Apple under their Apple Security Bounty program,” said Jain. The developer is a full-stack developer with his interests lying in mobile app development. Currently, Jain is a full-time bug bounty hunter and has been in the business for three years. He has been awarded by Stackflow, Google, Pinterest, Facebook, Grab, Yahoo in the past for finding their security flaws.
Apple was also quick in fixing the rudimentary yet fatal flaw and fixed it withing hours of acknowledging the report by Jain.