Skip to content
Apps
ePaperFollow
Telangana Today
Sunday, April 18, 2021
  • Home
  • Hyderabad
  • Telangana
  • Andhra Pradesh
  • India
  • World
  • Entertainment
  • Sport
  • Business
  • Science & Tech
  • Lifestyle
  • Editorials
  1. Home »
  2. Tech »
  3. Indian developer earns Rs 75 lakh for finding ‘Sign in with Apple’ bug

Indian developer earns Rs 75 lakh for finding ‘Sign in with Apple’ bug

“There are two possible ways to authenticate a user by either using a JWT (JSON Web Token) or a code generated by the Apple server. The code is then used to generate a JWT.”

AddThis Sharing Buttons
Share to FacebookFacebook Share to TwitterTwitter Share to LinkedInLinkedIn Share to WhatsAppWhatsApp Share to MessengerMessenger Share to TelegramTelegram
By IANS  |  Published: 31st May 2020  12:19 pm

New Delhi: A 27-year-old Indian security researcher Bhavuk Jain has grabbed $100,000 (over Rs 75.5 lakh) from Apple for discovering a now-patched Zero-Day vulnerability in the Sign in with Apple account authentication.

The Zero-Day vulnerability could have allowed a hacker to break into an Apple user’s account who log into third-party apps like Dropbox, Spotify, Airbnb and Giphy (now acquired by Facebook) and more.

Jain who holds a bachelor’s degree in electronics and communication discovered Zero-Day bug in ‘Sign in with Apple’ that affected third-party applications that were using it, and didn’t implement their own additional security measures.

“This bug could have resulted in a full account takeover of user accounts on that third party application irrespective of a victim having a valid Apple ID or not,” Jain said in a statement on Saturday.

“For this vulnerability, I was paid $100,000 by Apple under their Apple Security Bounty programme,” he announced.

Jain is a full-stack developer interested mostly in mobile app development using React Native. He is currently a full-time bug bounty hunter “trying to make the internet a safer place for everyone”.

Launched in 2019, ‘Sign in with Apple’ is aimed to be a more privacy-focused alternative to third-party logins. Jain disclosed the flaw to Apple which led to an award from Apple’s bug bounty programme.

Apple has since patched the bug. According to Jain, the ‘Sign in with Apple’ works similarly to ‘OAuth 2.0’. “There are two possible ways to authenticate a user by either using a JWT (JSON Web Token) or a code generated by the Apple server. The code is then used to generate a JWT,” he explained.

In the second step, while authorizing, Apple gives an option to a user to either share the Apple Email ID with the third-party app or not. If the user decides to hide the Email ID, Apple generates its own user-specific Apple relay Email ID.

“Depending upon the user selection, after successful authorization, Apple creates a JWT which contains this email ID which is then used by the 3rd party app to login a user,” said Jain.

He found that he could request JWTs for any email ID from Apple and when the signature of these tokens was verified using Apple’s public key, they showed as valid.

“This means an attacker could forge a JWT by linking any Email ID to it and gaining access to the victim’s account,” Jain noted.

The impact of this vulnerability was quite critical as it could have allowed full account takeover. A lot of developers have integrated Sign in with Apple since it is mandatory for applications that support other social logins.

Before patching the bug, Apple did an investigation of their logs and determined there was no misuse or account compromised due to this vulnerability.

AddThis Sharing Buttons
Share to FacebookFacebook Share to TwitterTwitter Share to LinkedInLinkedIn Share to WhatsAppWhatsApp Share to MessengerMessenger Share to TelegramTelegram




Latest News
  • Seerat Kapoor on Bollywood debut
  • Lavanya: ‘Weekend, please don’t leave me’
  • Madhuri: Heartbreaking to see pandemic taking over our lives yet again
  • Bollywood actress Athiya Shetty to KL Rahul: Grateful for you
  • Bollywood actress Sonakshi Sinha shares her ‘Sunday state of mind’
More Latest News
Latest News
  • Seerat Kapoor on Bollywood debut
  • Lavanya: ‘Weekend, please don’t leave me’
  • Madhuri: Heartbreaking to see pandemic taking over our lives yet again
  • Bollywood actress Athiya Shetty to KL Rahul: Grateful for you
  • Bollywood actress Sonakshi Sinha shares her ‘Sunday state of mind’
  • Covid vax ‘less effective’ in people with some blood cancer: Study
  • Hyderabad enjoys unexpected showers on Sunday
  • Sonu Nigam: As a Hindu I feel the Kumbh Mela shouldn’t have taken place
  • Samsung Galaxy A22 4G pops-up at BIS India: Report
  • Telangana: Birds hit by soaring temperatures in Sangareddy
More Latest News
Top News
  • Don’t panic, Eatala Rajender urges people in Telanagna

  • Telangana bats for Covid vaccination for above 25 years

  • JEE Mains entrance exam postponed amid surge in COVID-19 cases 

  • Telangana: COVID-19 cases cross 5,000 on Saturday

  • Worrying Trend Don’t be a ‘Covidiot’

Horoscope

Gold Rates


Connect with us

Follow @TelanganaToday

Videos
  • Watch: Where are we now with Covid -19 pandemic?
  • Watch: Let your spirit soar with paramotoring at Kondapochamma Sagar

Company

  • Home
  • About Us
  • Contact Us
  • Privacy Policy
  • Terms & Conditions

Business

  • Place an Ad
  • Subscribe

Telangana Today

  • Telangana
  • Hyderabad
  • Latest News
  • Entertainment
  • World
  • Features
  • Gallery
  • Lifestyle
  • Sport
Follow us
© Copyrights 2016, TELANGANA PUBLICATIONS PVT. LTD. All rights reserved.
Telangana Today