Apple introduced “Sign in with Apple” with iOS 13 along with other major features like “Deep Fusion“, a powerful photo editor, and the popular “Dark Mode“. Now, “Sign in with Apple” was more of a privacy-focused feature, unlike the mentioned ones. However, Bhavuk Jain, an Indian developer with a BSc. in Electronics and Communication degree found that there was a Zero-Day vulnerability in the “Sign in with Apple” account authentication system. He reported this to Apple and the company rewarded him heavily for the deed.
Now, this Zero-Day vulnerability allowed hackers to take control of a user’s account in third-party apps like Spotify, Giphy (now under Facebook), Dropbox, and Airbnb.
Apple brought “Sign in with Apple” to hide a user’s personal email ID when signing in to an app or service. It generates a unique ID for a user, that the third-party apps can use to authenticate, which redirects emails to the user’s personal ID.
However, Jain noticed that a bug in the verification system of the feature is showing any email ID as “valid” when a user is signing in with the “Sign in with Apple”.
“This bug could have resulted in a full account takeover of user accounts on third-party apps irrespective of a victim having a valid Apple ID or not”, says Jain.
Now, after spotting this vulnerability, Jain reported this to Apple via the company’s Security Bounty Programme. And Apple, in turn, awarded the 27-year-old developer $100,000 (~Rs 75,57,350).
“For this vulnerability, I was paid $100,000 by Apple under their Apple Security Bounty programme”, Jain announced.