Apple appears to have dodged a substantial bullet right after researcher uncovered a gaping hole in its sign-in authentication system that allowed complete account takeover in 3rd-occasion apps, and quite possibly products and services these types of as iCloud as well.

In April this year, Delhi-centered bug bounty hunter Bhavuk Jain uncovered that the Sign in with Apple system could conveniently be tricked into handing around Javascript Item Notation (JSON) authentication tokens for any users’ electronic mail addresses.

Apple’s security crew confirmed the bug in the OAUTH design sign in system, and paid out Jain a US$a hundred,000 bounty for finding it.

Sign in with Apple is necessary for 3rd-occasion applications these types of as Dropbox, Spotify, and AirBnB that use other social logins like Facebook and Google, and offers people the possibility of cutting down the total of knowledge they have to hand around.

End users can possibly offer their Apple ID electronic mail deal with to 3rd occasion apps, or cover it.

In the latter scenario, Sign in with Apple makes a one particular-off Apple ID electronic mail deal with for the user, and the server makes a signed JWT that is verified with community key cryptography.

Jain explained the bug in the sign-in server-facet authentication code was “fairly critical” as it could have allowed complete account takeover for products and services that use Sign in with Apple.

“I uncovered I could ask for JWTs for any E mail ID from Apple, and when the signture of these tokes was verified utilizing Apple’s community key, the showed as valid.

This suggests an attacker could forge a JWT by linking any E mail ID to it, and attain obtain to the victim’s account,” Jain wrote.

Apple instructed Jain that their investigation of logs showed no misuse or account compromises from the vulnerability.

Other developers speculated that the bug could have been utilised to obtain Apple products and services as well, as the firm’s security bounty payouts page lists an award of US$a hundred,000 for “wide, unauthorised command of an iCloud account”, the only class that suits Jain’s report.