'Sign in With Apple' Bug Allowed Unrestricted Access

Apple has paid $100,000 reward to a security researcher who discovered a simple but potentially damaging bug. Until it was fixed, the bug could have let hackers take over a user's account.

The problem was with "Sign in with Apple" - a system that lets users sign up to websites via their Apple account rather than having to create specific login details for each site, or go through an email confirmation process it.

As with similar systems from Facebook and Google, it only works on websites that support the "Sign in with Apple" feature. When the user visits the third-party site, it contacts Apple to confirm the user's identity. Once confirmed, Apple issues an authentication token. The third-party site then treats that token like a temporary ID badge - similar to one given to a visitor to a secure building, complete with a validity date.

When the user returns to the site, they can log straight in using their Apple account.

Email Address is All Hacker Needs

As Sophos notes, it's a benefit for both sides: Apple gives users an incentive to create an account, while the third-party website can take advantage of Apple's security system. (Source: sophos.com)

Researcher Bhavuk Jain discovered a major flaw in the way Apple had set the system up. The process involves an exchange of a batch of data that includes the email address the user wants to use as an identifier on the website.

However, Jain found that sending a valid email address to Apple's servers would effectively return an authentication token that granted access to a website that used "Sign in with Apple."

Bug Fixed Before Hackers Strike

In other words, somebody with malicious intent who knew an Apple ID user's email address could theoretically sign into any account they'd created using "Sign in with Apple." Fortunately, Jain reported the bug to Apple, which fixed it before anyone less reputable discovered and exploited the problem. (Source: techradar.com)

This means there's no need for immediate action by Apple ID users. However, it is a reminder that measures which make website logins more convenient can increase security risks if anything goes wrong.

What's Your Opinion?

Do you use the "Sign in with Apple" system or similar systems from Google and Facebook? Are you surprised such a simple setup mistake happened? Is it smart of Apple to offer rewards to incentivise independent researchers to look for such bugs?