Last April a security researcher discovered an error in the system Sign in with Apple that could have allowed access a third-party service using a third-party account. After fixing the error, Apple has rewarded its discoverer with $ 100,000.

An untapped bug and already fixed

The bug Bhavuk Jain discovered was based on the authentication system used by Sign in with Apple. The system offers to share our email or use a random address, in the second case it is generates a JWT (JSON Web Token) for authentication.

Jain discovered an error in how the system validates client-side users before initiating a request to authentication services. This authentication consists of generate a JWT that third-party apps and services use to confirm the identity of the user. The error was that, although the system requests that the account be logged in to initiate the request, it did not validate if it is the same person that requests the JWT from the authentication server.

Therefore, in this second step, and after logging in with an Apple ID, a second Apple ID could be sent tricking the system into generating a JWT for this second Apple ID that would allow logging in to a third-party service with the second Apple ID. Emphasize that this error never gave access to Apple ID from another person.

According to Jain, Apple investigated the situation and concluded that no account had been compromised using this method before the vulnerability was discovered. Under the Apple Security Bounty Program, which rewards security researchers for their discoveries in the field of systems security, Jain has received $ 100,000.

