Security Affairs
JADEPUFFER: First End-to-End AI-Driven Ransomware Operation|The Anatomy of a Shadow AI Supply-Chain Breach: Lessons from the 2026 Vercel Incident|Law enforcememt operation disrupted Malicious Residential Proxy Networks NetNut|Government and Healthcare Are the Weakest Links in Global Email Security|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|JADEPUFFER: First End-to-End AI-Driven Ransomware Operation|The Anatomy of a Shadow AI Supply-Chain Breach: Lessons from the 2026 Vercel Incident|Law enforcememt operation disrupted Malicious Residential Proxy Networks NetNut|Government and Healthcare Are the Weakest Links in Global Email Security|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Expert earns $100,000 for ‘Sign in with Apple’ authentication bypass bug

The expert Bhavuk Jain received an award of $100,000 for reporting a severe security issue in ‘Sign in with Apple’ authentication bypass bug that could allow the takeover of third-party user accounts.  The bug hunter Bhavuk Jain received an award of $100,000 by Apple, as part of its bug bounty program, for reporting a severe […]

sign in with apple

The expert Bhavuk Jain received an award of $100,000 for reporting a severe security issue in ‘Sign in with Apple’ authentication bypass bug that could allow the takeover of third-party user accounts. 

The bug hunter Bhavuk Jain received an award of $100,000 by Apple, as part of its bug bounty program, for reporting a severe vulnerability that could allow the takeover of third-party user accounts. 

The vulnerability was affecting the Apple ‘Sign in with Apple‘ system, it could have allowed remote attackers to bypass authentication and take over targeted users’ accounts on third-party services and apps that have been registered using ‘Sign in with Apple’ machanism.

Sign in with Apple allows users to sign in to their apps and websites using their Apple ID. Instead of filling out forms, verifying email addresses, and choosing new passwords, they can use Sign in with Apple to set up an account and start using your app right away. The accounts are protected with two-factor authentication, and Apple does not track users’ activity in their app or website.

Bhavuk Jain discovered how to bypass authentication mechanisms and access to third-party user accounts by using the target’s email ID. 

The expert explained that the vulnerability affects how client-side user validation requests are handled.

The Sign in with Apple could authenticate a user via a JSON Web Token (JWT) or a code generated by a server. 

“The Sign in with Apple works similarly to OAuth 2.0. There are two possible ways to authenticate a user by either using a JWT (JSON Web Token) or a code generated by the Apple server. The code is then used to generate a JWT. The below diagram represents how the JWT creation and validation works.” reads the post published by the expert.

Apple allows users to choose if they want to share the Apple Email ID with the 3rd party app or not.  In case the user opts to hide the email ID, Apple generates a JWT token containing it which is then used by the third-party service to authenticate a user. 

Jain discovered that is was possible to request a JWT token for any email ID from Apple and when the signature of these tokens was verified using Apple’s public key, they are considered as validation.

“I found I could request JWTs for any email ID from Apple and when the signature of these tokens was verified using Apple’s public key, they showed as valid,” Jain continues . “This means an attacker could forge a JWT by linking any email ID to it and gaining access to the victim’s account.”

Due to this validation issue, any third-party service using Sign in with Apple could have been vulnerable to account hijacking attacks.

“The impact of this vulnerability was quite critical as it could have allowed a full account takeover. Many developers have integrated Sign in with Apple since it is mandatory for applications that support other social logins.” states the expert.

Many popular applications support the Sign in with Apple feature, including Dropbox, Spotify, Airbnb, and Giphy, that could have been vulnerable to a full account takeover if there were leveraging only on the security measures implemented by Apple.

iCloud accounts could have been hacked exploiting this issue too.

The good news is that Apple is not aware of attacks that exploited the flaw in the wild.

Apple has already addressed the flaw. 

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – Apple, cybersecurity)

[adrotate banner=”5″]

[adrotate banner=”13″]