Patched Sign In with Apple Zero Day Netted Hacker $100,000

Sign In with Apple badge

Security researcher Bhavuk Jain found a zero day vulnerability with Sign In with Apple in April. Apple has already patched it but details are only coming out now. Mr. Jain was awarded US$100,000 as part of the Apple Security Bounty program.

Sign In with Apple Zero Day

If exploited, the vulnerability would have let an attacker take over a person’s Sign In with Apple account on a website even if that person didn’t have an Apple ID. Sign In with Apple relies on either a code generated by Apple’s servers or a JSON Web Token (JWT).

This diagram represents how the JWT creation and validation works.
This diagram represents how the JWT creation and validation works. Credit: Bhavuk Jain

When a person creates an account on a website or app using Sign In with Apple, they sometimes have the option to hide their email. When the email is hidden Apple creates a private relay to forward emails to the person’s real address. Apple creates a JWT containing the email ID used by the third party.

I found I could request JWTs for any Email ID from Apple and when the signature of these tokens was verified using Apple’s public key, they showed as valid. This means an attacker could forge a JWT by linking any Email ID to it and gaining access to the victim’s account.

Apple’s investigation into the issue didn’t find any examples where this attack was actually exploited in the wild.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

WIN an iPhone 15 Pro Max!

Enter our epic giveaway for a chance to win the latest iPhone 15 Pro Max!