Apple earlier this year fixed a security vulnerability in iOS and macOS that could have potentially allowed an attacker to gain unauthorized access to a user’s iCloud account.
Uncovered in February by Thijs Alkemade, a security specialist at IT security firm Computest, the flaw resided in Apple’s implementation of TouchID (or FaceID) biometric feature that authenticated users to log in to websites on Safari, specifically those that use Apple ID logins.
After the issue was reported to Apple through their responsible disclosure program, the iPhone maker addressed the vulnerability in a server-side update.
An Authentication Flaw
The central premise of the flaw is as follows. When users try to sign in to a website that requires an Apple ID, a prompt is displayed to authenticate the login using Touch ID. Doing so skips the two-factor authentication step since it already leverages a combination of factors for identification, such as the device (something you have) and the biometric information (something you are).
Contrast this during logins to Apple domains (e.g. “icloud.com”) the usual way with an ID and password, wherein the website embeds an iframe pointing to Apple’s login validation server (“https://idmsa.apple.com”), which handles the authentication process.
As shown in the video demonstration, the iframe URL also contains two other parameters — a “client_id” identifying the service (e.g., iCloud) and a “redirect_uri” that has the URL to be redirected to after successful verification.
But in the case where a user is validated using TouchID, the iframe is handled differently in that it communicates with the AuthKit daemon (akd) to handle the biometric authentication and subsequently retrieve a token (“grant_code”) that’s used by the icloud.com page to continue the login process.
To do this, the daemon communicates with an API on “gsa.apple.com,” to which it sends the details of the request and from which it receives the token.
The security flaw discovered by Computest resides in the aforementioned gsa.apple.com API, which made it theoretically possible to abuse those domains to verify a client ID without authentication.
“Even though the client_id and redirect_uri were included in the data submitted to it by akd, it did not check that the redirect URI matches the client ID,” Alkemade noted. “Instead, there was only a whitelist applied by AKAppSSOExtension on the domains. All domains ending with apple.com, icloud.com and icloud.com.cn were allowed.”
This means that an attacker could exploit a cross-site scripting vulnerability on any one of Apple’s subdomains to run a malicious snippet of JavaScript code that can trigger a login prompt using the iCloud client ID, and use the grant token to obtain a session on icloud.com.
Setting Up Fake Hotspots to Take Over iCloud Accounts
In a separate scenario, the attack could be executed by embedding JavaScript on the web page that’s displayed when connecting to a Wi-Fi network for the first time (via “captive.apple.com”), thus allowing an attacker access to a user’s account by just accepting a TouchID prompt from that page.
“A malicious Wi-Fi network could respond with a page with JavaScript which initiates OAuth as iCloud,” Alkemade said. “The user receives a TouchID prompt, but it’s very unclear what it implies. If the user authenticates on that prompt, their session token will be sent to the malicious site, giving the attacker a session for their account on iCloud.”
“By setting up a fake hotspot in a location where users expect to receive a captive portal (for example at an airport, hotel or train station), it would have been possible to gain access to a significant number of iCloud accounts, which would have allowed access to backups of pictures, location of the phone, files and much more,” he added.
This is not the first time security issues have been found in Apple’s authentication infrastructure. In May, Apple patched a flaw impacting its “Sign in with Apple” system that could have made it possible for remote attackers to bypass authentication and take over targeted users’ accounts on third-party services and apps that have been registered using Apple’s sign-in option.
Credit: The Hacker News By: noreply@blogger.com (Ravie Lakshmanan)
