For the uninitiated, ‘Sign in with Apple’ is a privacy-preserving login mechanism launched by Apple during WWDC 19 that allows user to sign up for an account with 3rd-party applications without disclosing their actual email addresses.
The feature works to protect user’s privacy by generating unique and random email addresses for use during the sign-up process. It also limits the amount of personal information sent to 3rd-party services to the minimum necessary data. And any emails sent to the randomly generated email address will be forwarded to the primary email ID, which is what you use to sign in to Apple services.
A highly critical vulnerability with this feature saw Apple paying $100,000 bug bounty to Indian vulnerability researcher Bhavuk Jain, who reported the vulnerability to Apple in April 2020.
The company has since fixed the bug.
Before we could get into the details of the vulnerability, we need to understand how does ‘Sign in with Apple’ work to authenticate a user.
When a user choose to use the ‘Sign in with Apple’ to sign in to 3rd-party services or apps, they are required to log in to their Apple account before the request is processed by Apple. Once the user is logged on, Apple will give user an option to either share their actual Apple email ID with the 3rd-party app or not. If the user choose to hide the email ID, Apple will generate its own user-specific Apple relay email ID.
Regardless of which option the user chooses, Apple will generate a JWT (JSON Web Token), which contains secret information including the email ID that will be used by 3rd-party app or service to identify the user.
Below is a diagram that show the JWT is created and validated.
The security vulnerability lies on Apple side where the authentication server does not verify that it is the same person requesting for JWTs. An attacker could request JWTs for any email ID from Apple and the signature of these tokens will still be considered as valid when verified using Apple’s public key. With this, a JWT could be forged by linking any Email ID to it and thereby allowing the attack to gain access to the victim’s account.
There are a number of developers who have integrated ‘Sign in with Apple’ since it is a requirement if they want to support other type of social login (e.g. Google, Facebook) in their iOS apps. Some of these developers include Dropbox, Spotify and Airbnb. They could have bene vulnerable to a full account takeover if other security measures are not in place to verify a user.
After the report, Apple did an investigation of their logs and determined there was no misuse or account compromise due to this vulnerability.
If you are interested in the full details of the vulnerability, you can proceed to Jain’s blog.