Apple pays US$100,000 bounty to developer for finding critical login vulnerability

One developer became US$100,000 richer after finding and reporting a critical security flaw to Apple's bounty programme. (Image source: TheDigitalWay / Pixabay)

Apple has paid a US$100,000 bounty to Bhavuk Jain for a security vulnerability he found within the "Sign in with Apple" ability found on some websites and third-party applications. The bug could allow hackers to take full control of a user's account.

Craig Ward, Published 06/01/2020

This particular security weakness came about due to the way Apple's servers verified a user account during the "Sign in with Apple" login process. When logging in, a JSON Web Token is used to authenticate the account, and this token can contain the user's Apple ID email address depending on which options are selected.

Jain found that he could request a JSON Web Token for any legitimate Apple account and the signature would be verified as valid each time. A hacker only needed to know the email address associated with an Apple ID to get a validated token and obtain access to the account. Accounts using two-factor authentication (2FA) likely to be protected from this attack vector.

During the patching process, Apple reviewed server logs and found no evidence that anyone had exploited this flaw.

Bounty programmes are a popular way for tech companies to encourage white hat hackers (hackers who hack with permission) to try and find vulnerabilities in their software. These flaws get reported and patched before the bug is made public. Although many high-profile companies have bounty programmes, more substantial bounties aren't paid out very often since they are reserved for significant and critical vulnerabilities.

Source(s)

Bhavuk Jain

The OpenCore Computer system is claimed to be available as a pre-made Hackintosh. (Source: OpenCore Computers)

'OpenCore Computer' advertises pre-built Hackintosh computers that break Apple's EULA 06/14/2020

TTGO T-Internet: A compact single-board computer that supports PoE, Bluetooth 5.1 and Wi-Fi. (Image source: Lilygo)

TTGO T-Internet: A compact single-board computer that supports PoE, Bluetooth 5.1 and Wi-Fi 06/11/2020

A mockup of how an iPad Pro-inspired iMac could look. (Image source: MacRumors)

WWDC 2020: ARM MacBook and iPad Pro-inspired iMac set to join AirPods Studio and Air Tags from June 22 06/10/2020

The Watch Series 6 will not feature microLED displays, but Apple will undoubtedly make many other upgrades to its popular smartwatch. (Image source: Suganth)

The Apple Watch Series 6 may arrive with an OLED display; no microLED display in sight 06/09/2020

The Apple Card currently offers cash back on purchases, and 24 months interest free on iPhones in the US. (Source: Apple)

Apple reportedly about to expand interest free offerings 06/07/2020

Seeed Studio has brought Bluetooth, Ethernet and Wi-Fi to the BeagleBone Green Gateway. (Image source: Seeed Studio)

Seeed Studio brings Bluetooth, Ethernet and Wi-Fi to the BeagleBone Green Gateway 06/02/2020

Business-grade phishing poses business-grade risks. (Source: Pixabay)

The rate of mobile phishing aimed at businesses grew by 37% by the end of March 2020 06/02/2020

OLED screens, like the one used in the iPhone 11 Pro Max, may soon be usurped by microLED. (Image via Notebookcheck review)

Apple considers $330 million investment in Taiwanese microLED factory for future iPhones and MacBooks 06/01/2020

Apple MacBook Pro: RAM upgrade now costs twice as much for the 13-inch model. (Image source: Apple)

Apple MacBook Pro: RAM upgrade now costs twice as much for the 13-inch model 06/01/2020

The exploit is introduced via a seemingly harmless blank email. (Image Source: zecOps)

Apple's iPhone and iPad devices have been plagued by serious vulnerabilities since 2018, security analyst reports 04/23/2020

Zoom zero-day vulnerabilities are being auctioned for up to US$500,000 04/16/2020

Apple touts iPhone privacy as a key selling point on its website. (Source: Apple)

FBI pressure leaves iCloud, iPhone users vulnerable to unencrypted back door 01/22/2020

Researchers at Symantec discover media file vulnerability in WhatsApp and Telegram 07/17/2019

PC-Doctor Tool For Windows is also believed to be vulnerable to cyber attacks. (Image source: Lifewire)

Cybersecurity company finds worrying vulnerability affecting millions of Dell laptops and desktops 06/22/2019

Loading Comments

Comment on this article

Next-gen console rumors: PS5 will b...

Intel's 7nm Ocean Cove architecture...

Craig Ward - Tech Writer - 397 articles published on Notebookcheck since 2017

I grew up in a family surrounded by technology, starting with my father loading up games for me on a Commodore 64, and later on a 486. In the late 90's and early 00's I started learning how to tinker with Windows, while also playing around with Linux distributions, both of which gave me an interest for learning how to make software do what you want it to do, and modifying settings that aren't normally user accessible. After this I started building my own computers, and tearing laptops apart, which gave me an insight into hardware and how it works in a complete system. Now keeping up with the latest in hardware and software news is a passion of mine.

Please share our article, every link counts!