Apple paid 100 thousand dollars. for finding a vulnerability in the Sign in with Apple service

Log in with Apple is a new login method that was meant to protect our privacy. Apple has just paid 100,000 dollars. to the developer who found a hole in it.

Apple in iOS 13 introduced a new method of user authorization in mobile applications. From now on, instead of providing software developers with your data or logging in with services such as Facebook or Google, you can use the Log In with Apple service and protect your privacy .

Although some doubt is raised by the fact that Apple used a stick, not a carrot , to encourage developers, but the new solution boasted even Tim Cook's biggest competitor . Thanks to it, service providers will never know the user's email address, which makes it easier to defend against spam.

Unfortunately, it turned out that an error appeared in the Log in with Apple service, which could result in the loss of access to data.

The matter was described by the author of the blog . He explained that it was enough to know the Email ID parameter to access the online service using Log in with Apple. The developer detected this zero-day vulnerability as early as April and it affected all sites using this login method that did not implement additional security on their side.

In the blog entry, the developer explains that the vulnerability was related to the user authorization method. It uses either the JSON web token (JSON Web Token, JWT), or codes generated on Apple servers, on the basis of which JWT was created. This works similar to the OAuth 2.0 method, and the way the Cupertino company solution works is explained in the diagram:

What was the error in Sign in with Apple ?

The developer explains that in a situation where the user decides to hide his Apple ID from the service provider, Apple generates an Email ID for the needs of this one application. Then JWT is generated, which contains the Email ID parameter, and online services use it for authorization.

It turned out that in April it was possible to request JWT for any Apple Email ID and verify the token signature using a public key. If someone got to know the Email ID, they could get an artificially generated JSON web token and gain full access to the account.

It's so good that Apple explains that zero-day has never been used, and the error in the Apple Log In service has already been patched. In addition, the person reporting this zero-day boasted that the company awarded her with a prize of 100,000. dollars. as part of the Apple Security Bounty program.

Apple paid 100 thousand dollars. for finding a vulnerability in the Sign in with Apple service


  1. Great job for publishing such a nice article. Your article isn’t only useful but it is additionally really informative. Read more info about Mobile App Development Services Hong Kong. Thank you because you have been willing to share information with us.

  2. This data is significant and glorious which you have shared here about the I am dazzled by the subtleties that you have partaken here and It uncovers how pleasantly you grasp this subject. I might want to gratitude for sharing this article here. Social media companies Tampa


Post a Comment

Popular posts from this blog

What is VoLTE and how can you activate it on your Xiaomi

So you can check the battery status of your Xiaomi smartphone and how many cycles you have performed

How to exit the FASTBOOT mode of your Xiaomi if you have entered accidentally

Does your Xiaomi charge slowly or intermittently? So you can fix it

Problems with Android Auto and your Xiaomi? So you can fix it

If your Xiaomi disconnects only from the WiFi it may be because of that MIUI setting

How to change the font in MIUI and thus further customize your Xiaomi: so you can change the type, color and size of the letters of MIUI

What is the Safe Mode of your Xiaomi, what is it for and how can you activate it

Improve and amplify the volume of your Xiaomi and / or headphones with these simple adjustments

How to activate the second space if your Xiaomi does not have this option