Latest in Gear

Image credit: Chris Velazco/Engadget

'Sign in with Apple' flaw let attackers take over accounts

Forged tokens would grant access to virtually any account.
Jon Fingas, @jonfingas
May 30, 2020
321 Shares
Share
Tweet
Share

Sponsored Links

'Sign in with Apple' example at WWDC 2019
Chris Velazco/Engadget

Sign in with Apple’ is potentially more private than other login options, but it apparently included a serious security flaw. Researcher Bhavuk Jain recently received a $100,000 bug bounty for discovering (via Hacker News) a flaw in the sign-in service when available through third-party apps. If an app didn’t have its own security measures, an attacker could forge a token linked to any email ID and verify it as ‘valid’ using Apple’s public key. That could allow a “full account takeover” even if you chose to hide your email from other services, Jain said.

Jain found the flaw in April, and it’s already fixed. Apple said there was no evidence of accounts being compromised as a result of the flaw.

There shouldn’t have been any damage done as a result. Nonetheless, the bug probably isn’t what Apple wanted to grapple with in the wake of a string of security issues, including an earlier Mail vulnerability. It’s fixing issues quickly — the question is whether or not it can cut down on these issues going forward.

All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you buy something through one of these links, we may earn an affiliate commission.
Comment
Comments
Share
321 Shares
Share
Tweet
Share

Popular on Engadget

iOS 14.4 rolls out with Bluetooth audio monitoring

iOS 14.4 rolls out with Bluetooth audio monitoring

View
‘Babylon 5 Remastered’ now available to buy, or stream on HBO Max

‘Babylon 5 Remastered’ now available to buy, or stream on HBO Max

View
Chrome OS 88 turns your Chromebook into an impromptu smart display

Chrome OS 88 turns your Chromebook into an impromptu smart display

View
Sony's A1 is a $6,500 50MP camera that shoots 30fps bursts and 8K video

Sony's A1 is a $6,500 50MP camera that shoots 30fps bursts and 8K video

View
Intel starts shipping its first Iris Xe discrete graphics cards for desktop

Intel starts shipping its first Iris Xe discrete graphics cards for desktop

View

From around the web

Page 1Page 1ear iconeye iconFill 23text filevr