Friday, February 26, 2021
  • Setup menu at Appearance » Menus and assign menu to Top Bar Navigation
Advertisement
  • AI Development
    • Artificial Intelligence
    • Machine Learning
    • Neural Networks
    • Learn to Code
  • Data
    • Blockchain
    • Big Data
    • Data Science
  • IT Security
    • Internet Privacy
    • Internet Security
  • Marketing
    • Digital Marketing
    • Marketing Technology
  • Technology Companies
  • Crypto News
No Result
View All Result
NikolaNews
  • AI Development
    • Artificial Intelligence
    • Machine Learning
    • Neural Networks
    • Learn to Code
  • Data
    • Blockchain
    • Big Data
    • Data Science
  • IT Security
    • Internet Privacy
    • Internet Security
  • Marketing
    • Digital Marketing
    • Marketing Technology
  • Technology Companies
  • Crypto News
No Result
View All Result
NikolaNews
No Result
View All Result
Home Internet Privacy

Critical ‘Sign in with Apple’ Bug Could Have Let Attackers Hijack Anyone’s Account

May 31, 2020
in Internet Privacy
Critical ‘Sign in with Apple’ Bug Could Have Let Attackers Hijack Anyone’s Account
585
SHARES
3.3k
VIEWS
Share on FacebookShare on Twitter

Apple recently paid Indian vulnerability researcher Bhavuk Jain a huge $100,000 bug bounty for reporting a highly critical vulnerability affecting its ‘Sign in with Apple‘ system.

The now-patched vulnerability could have allowed remote attackers to bypass authentication and take over targeted users’ accounts on third-party services and apps that have been registered using ‘Sign in with Apple’ option.

You might also like

North Korean Hackers Targeting Defense Firms with ThreatNeedle Malware

Russian Hackers Targeted Ukraine Authorities With Supply-Chain Malware Attack

Chinese Hackers Using Firefox Extension to Spy On Tibetan Organizations

Launched last year at Apple’s WWDC conference, ‘Sign in with Apple’ feature was introduced to the world as a privacy-preserving login mechanism that allows users to sign up an account with 3rd-party apps without disclosing their actual email addresses (also used as Apple IDs).

In an interview with The Hacker News, Bhavuk Jain revealed that the vulnerability he discovered resided in the way Apple was validating a user on the client-side before initiating a request from Apple’s authentication servers.

For those unaware, while authenticating a user via ‘Sign in with Apple,’ the server generates JSON Web Token (JWT) containing secret information that third-party application uses to confirm the identity of the signing-in user.

Bhavuk found that though Apple asks users to log in to their Apple account before initiating the request, it was not validating if the same person is requesting JSON Web Token (JWT) in the next step from its authentication server.

Therefore, the missing validation in that part of the mechanism could have allowed an attacker to provide a separate Apple ID belonging to a victim, tricking Apple servers into generating JWT payload that was valid to sign in into a 3rd-party service with the victim’s identity.

“I found I could request JWTs for any Email ID from Apple, and when the signature of these tokens was verified using Apple’s public key, they showed as valid. This means an attacker could forge a JWT by linking any Email ID and gaining access to the victim’s account,” Bhavuk said.

The researcher confirmed The Hacker News that the vulnerability worked even if you choose to hide your email ID from the 3rd-party services and can also be exploited to sign up a new account with the victim’s Apple ID.

“The impact of this vulnerability was quite critical as it could have allowed a full account takeover. Many developers have integrated Sign in with Apple since it is mandatory for applications that support other social logins. To name a few that use Sign in with Apple – Dropbox, Spotify, Airbnb, Giphy (now acquired by Facebook),” Bhavuk added.

Though the vulnerability existed on the Apple side of code, the researcher said it’s possible that some services and app offering ‘Sign in with Apple’ to their users might have already been using a second factor of authentication that could mitigate the issue for their users.

Bhavuk responsibly reported the issue to the Apple security team last month, and the company has now patched the vulnerability.

Besides paying bug bounty to the researcher, in response, the company also confirmed that it did an investigation of their server logs and found the flaw was not exploited to compromise any account.


Credit: The Hacker News By: noreply@blogger.com (Unknown)

Previous Post

You’ll Never Guess Who Boomers Will Blame for the Next Housing Crisis

Next Post

ACLU sues Clearview AI claiming the company's tech crosses ethical bounds

Related Posts

North Korean Hackers Targeting Defense Firms with ThreatNeedle Malware
Internet Privacy

North Korean Hackers Targeting Defense Firms with ThreatNeedle Malware

February 26, 2021
Russian Hackers Targeted Ukraine Authorities With Supply-Chain Malware Attack
Internet Privacy

Russian Hackers Targeted Ukraine Authorities With Supply-Chain Malware Attack

February 26, 2021
Chinese Hackers Using Firefox Extension to Spy On Tibetan Organizations
Internet Privacy

Chinese Hackers Using Firefox Extension to Spy On Tibetan Organizations

February 25, 2021
The Top Free Tools for Sysadmins in 2021
Internet Privacy

The Top Free Tools for Sysadmins in 2021

February 25, 2021
Everything You Need to Know About Evolving Threat of Ransomware
Internet Privacy

Everything You Need to Know About Evolving Threat of Ransomware

February 25, 2021
Next Post
Committee orders complete redrafting of Biometric Bills as privacy safeguards are deemed inadequate

ACLU sues Clearview AI claiming the company's tech crosses ethical bounds

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Recommended

Plasticity in Deep Learning: Dynamic Adaptations for AI Self-Driving Cars

Plasticity in Deep Learning: Dynamic Adaptations for AI Self-Driving Cars

January 6, 2019
Microsoft, Google Use Artificial Intelligence to Fight Hackers

Microsoft, Google Use Artificial Intelligence to Fight Hackers

January 6, 2019

Categories

  • Artificial Intelligence
  • Big Data
  • Blockchain
  • Crypto News
  • Data Science
  • Digital Marketing
  • Internet Privacy
  • Internet Security
  • Learn to Code
  • Machine Learning
  • Marketing Technology
  • Neural Networks
  • Technology Companies

Don't miss it

Why your diversity and inclusion efforts should include neurodiverse workers
Internet Security

Why your diversity and inclusion efforts should include neurodiverse workers

February 26, 2021
North Korean Hackers Targeting Defense Firms with ThreatNeedle Malware
Internet Privacy

North Korean Hackers Targeting Defense Firms with ThreatNeedle Malware

February 26, 2021
The Beginner Guide for Creating a Multi-Vendor eCommerce Website
Data Science

The Beginner Guide for Creating a Multi-Vendor eCommerce Website

February 26, 2021
How Artificial Intelligence, Machine Learning will further advance Ed-tech sector?
Machine Learning

How Artificial Intelligence, Machine Learning will further advance Ed-tech sector?

February 26, 2021
Attorney-General urged to produce facts on US law enforcement access to COVIDSafe
Internet Security

Attorney-General urged to produce facts on US law enforcement access to COVIDSafe

February 26, 2021
Machine Learning & Big Data Analytics Education Market: Soaring Demand Assures Motivated Revenue Share During 2020-2030 – KSU
Machine Learning

Machine Learning & Big Data Analytics Education Market: Soaring Demand Assures Motivated Revenue Share During 2020-2030 – KSU

February 26, 2021
NikolaNews

NikolaNews.com is an online News Portal which aims to share news about blockchain, AI, Big Data, and Data Privacy and more!

What’s New Here?

  • Why your diversity and inclusion efforts should include neurodiverse workers February 26, 2021
  • North Korean Hackers Targeting Defense Firms with ThreatNeedle Malware February 26, 2021
  • The Beginner Guide for Creating a Multi-Vendor eCommerce Website February 26, 2021
  • How Artificial Intelligence, Machine Learning will further advance Ed-tech sector? February 26, 2021

Subscribe to get more!

© 2019 NikolaNews.com - Global Tech Updates

No Result
View All Result
  • AI Development
    • Artificial Intelligence
    • Machine Learning
    • Neural Networks
    • Learn to Code
  • Data
    • Blockchain
    • Big Data
    • Data Science
  • IT Security
    • Internet Privacy
    • Internet Security
  • Marketing
    • Digital Marketing
    • Marketing Technology
  • Technology Companies
  • Crypto News

© 2019 NikolaNews.com - Global Tech Updates