Notebookcheck

Apple pays US$100,000 bounty to developer for finding critical login vulnerability

One developer became US$100,000 richer after finding and reporting a critical security flaw to Apple's bounty programme. (Image source: TheDigitalWay / Pixabay)
One developer became US$100,000 richer after finding and reporting a critical security flaw to Apple's bounty programme. (Image source: TheDigitalWay / Pixabay)
Apple has paid a US$100,000 bounty to Bhavuk Jain for a security vulnerability he found within the "Sign in with Apple" ability found on some websites and third-party applications. The bug could allow hackers to take full control of a user's account.
Craig Ward,

This particular security weakness came about due to the way Apple's servers verified a user account during the "Sign in with Apple" login process. When logging in, a JSON Web Token is used to authenticate the account, and this token can contain the user's Apple ID email address depending on which options are selected.

Jain found that he could request a JSON Web Token for any legitimate Apple account and the signature would be verified as valid each time. A hacker only needed to know the email address associated with an Apple ID to get a validated token and obtain access to the account. Accounts using two-factor authentication (2FA) likely to be protected from this attack vector.

During the patching process, Apple reviewed server logs and found no evidence that anyone had exploited this flaw.

Bounty programmes are a popular way for tech companies to encourage white hat hackers (hackers who hack with permission) to try and find vulnerabilities in their software. These flaws get reported and patched before the bug is made public. Although many high-profile companies have bounty programmes, more substantial bounties aren't paid out very often since they are reserved for significant and critical vulnerabilities.

Source(s)

static version load dynamic
Loading Comments
Comment on this article
Please share our article, every link counts!
> Notebook / Laptop Reviews and News > News > News Archive > Newsarchive 2020 06 > Apple pays US$100,000 bounty to developer for finding critical login vulnerability
Craig Ward, 2020-06- 1 (Update: 2020-06- 1)
Craig Ward
Craig Ward - News Editor
I grew up in a family surrounded by technology, starting with my father loading up games for me on a Commodore 64, and later on a 486. In the late 90's and early 00's I started learning how to tinker with Windows, while also playing around with Linux distributions, both of which gave me an interest for learning how to make software do what you want it to do, and modifying settings that aren't normally user accessible. After this I started building my own computers, and tearing laptops apart, which gave me an insight into hardware and how it works in a complete system. Now keeping up with the latest in hardware and software news is a passion of mine.