Naeem Ur Rehman
The 27-year-old developer’s name was sentimental Jain revealed in his blog post on May 30 that he discovered a bug in Apple’s ‘Sign in with Apple’ process in April. The Sign in with Apple feature was introduced in June last year.
Apple has reportedly given an amount of $ 100,000 to the Indian developer. Actually, this Indian developer is said to have found a bug in the ‘Sign in with Apple’ process of Apple’s device, due to which Apple gave him about 75 lakh rupees. The 27-year-old developer is named Bhavishya Jain. Bhavishya had found the Zero-Day bug in the ‘Sign-in with Apple’ process, through which hackers could access the account of Apple users signing in. The company accepted the bug, and said that it has been fixed after investigation. However, the company also said that the bug has not been exploited.
What is ‘Sign in with Apple’?
Jain revealed in his blog post on May 30 that he discovered a bug in Apple’s ‘Sign in with Apple’ process in April. The Sign in with Apple feature was introduced in June last year. This feature allows Apple account holders to sign in to third party apps, without sharing email IDs. It is the process of generating JSON Web Token (JWT), which contains information to identify users through a third party app. This feature was introduced for the purpose of maintaining the privacy of the user, but the Zero Day bug detected by Jain gives information about their account attack.
Sign in with Apple bug
According to Jain’s blog post, users need to log in with their Apple account upon signing in with Apple. That is the first step. In the second step, it was found that the request to move from JWT to the third party app has been done by the same users, there is also no accuracy. This way the hacker can hack the user’s account.
Jain said that he can send JWT request through any of Apple’s email IDs and when the signature of these tokens is verified using Apple’s public key, it is shown valid. This means that any hacker can send a request to JWT through any email ID and can access anyone’s account. Jain said that this deficiency is very serious and through this the hacker can takeover anyone’s account. Through this, hackers can take users’ personal data, which includes personal information such as log-ins, credentials, passwords and account details.
Although most apps do not support this sign-in process, it is available on Dropbox, Giphy, Spotify, and Airbnb.
