Signing in with an Apple Account Was Unsafe

A cybersecurity expert from India discovered a serious vulnerability in Apple ’s login authorization system that allowed you to log in using an Apple company account. According to experts, an attacker can use the discovered vulnerability to access any user account.

Signing in with an Apple Account Was Unsafe

A Delhi-based cybersecurity researcher Bhawuk Jain has reported a flaw in Apple's popular feature that allows you to access multiple sites using your Apple ID account. Bhawuk Jain's research results are published on her blog.

We are talking about the "Sign in with Apple" feature that was launched last year.

"This is a faster, easier, and more secure way to access programs and websites using the current Apple ID," the company's official website reads.

If the website or application has a "Sign in with Apple" button, this means that the user does not need to re-register to sign in and create a new password - just use your Apple account. Connect by This feature has been introduced by the company "to maintain confidentiality and control personal data".

As Bhavuk Jain found out, using this function not only guarantees privacy but can have even more tragic consequences, for example, the theft of personal information.

“What if I say that your email id is all I need to grab your account on your favorite site or application?” Sounds scary, right? I was allowed to make this mistake in the function "Sign in with Apple," the researcher writes on his blog.

It turns out that during authentication using an Apple account, the server generates a JSON Web Token (JWT), which contains confidential information. Jain found that he could request the identifier of any email address associated with the Apple account from JWT, and then pass it as a valid token to gain access to the configuration file on the selected site or application.

"The consequences of this vulnerability are very serious because it allows full access to other people's accounts. Many developers have integrated the" login with Apple "feature in their programs because this is a prerequisite for applications that support other social network accounts. 

Research: The staff wrote that these included Dropbox, Spotify, Airbnb, Giphy (owned by Facebook).

According to Bhavuk Jain, he announced that he discovered a vulnerability in Apple in April-this vulnerability has been fixed. As part of the Vulnerability Bounty Program, which provides rewards to people who discover security vulnerabilities, the Cupertino-based company paid Jaina $ 100,000. According to Apple's investigation, no user account was found to be compromised by the vulnerability discovered by Jain.

Earlier it was known that Apple had released a new version of its operating system iOS 13.5. There is a feature in it. If the owner of the device wears a mask related to the coronavirus pandemic, he can use Face ID to access the iPhone. Now, to access the iPhone with the Face ID function, just swipe down, and then the system will immediately provide the function using the code combination without having to wait for the scanner.

Editor Choice:-

No comments:

Like a Reply

Powered by Blogger.