An Indian developer reportedly received a $100,000 cheque from Apple for finding a bug in one of its products. A 27 year old developer named Bhavuk Jain is said to have found a bug in Apple’s “Sign In With Apple” system.
Jain said that he found a zero day bug in the Sign in with Apple system which could allow hackers to gain access to the user’s account when logging-in. Apple went on to acknowledge the critical security bug, the company also reportedly patched the bug and also found during its investigation that the bug had not been exploited.
“I found I could request JWTs for any Email ID from Apple and when the signature of these tokens was verified using Apple’s public key, they showed as valid. This means an attacker could forge a JWT by linking any Email ID to it and gaining access to the victim’s account,” said Jain.
Sign in with Apple is Apple’s offering to allow developers to create an easier, simpler, and secure login system without much effort. Developers can add the “Sign in with Apple” button to their apps or on web platforms such as websites and web apps.
Apple introduced the ‘Sign in with Apple’ last June and said that users can also opt to not share their actual email ID but rather let Apple share a temporary email ID. Apple’s implementation of a secure login system is the best in the industry at the moment.
However, Jain said in his explanation that Apple’s login system generates a JSON Web Token (JWT) which contains some information about the user and is sent to the app or website that the user is trying to log into.
According to Jain, the zero day bug he had found exposes the user information from the JSON Web Token. Apple has reported that it has fixed the issue now and has rewarded Jain handsomely.
