A flaw in the “Login with Apple” system in third-party applications and services that did not have an additional security system in place could allow cybercriminals to gain control of a user account.
The security flaw was discovered in April by researcher Bhavuk Jain, who informed the technology company of a “zero-day” vulnerability that has already been corrected. For this discovery, Apple, through its rewards program, has paid him $ 100,000.
Specifically, this is a localized bug in the “Login with Apple” system, which allows users to access third-party applications and websites with their Apple ID. This system allows the user to hide their email, if they do not want to put theirs, which generates a random and exclusive email that redirects to personal email.
Jain found that on those third-party sites that had not implemented additional security measures, a malicious person could create a “token” linked to any email ID, which would be valid with Apple’s public key.
In this way, he could gain control of an account, making this failure critical. The investigator has indicated in his publication that Apple investigated the situation and determined that he had not identified a misuse of this ruling or accounts that had been compromised. Still, the company has solved a serious problem with its service by rewarding a cybersecurity expert. .