The $100,000 bug in Sign in with Apple
In the month of April, I found a zero-day in Sign in with Apple that affected third-party applications which were using it and didn’t implement their own additional security measures. This bug could have resulted in a full account takeover of user accounts on that third party application irrespective of a victim having a valid Apple ID or not. For this vulnerability, I was paid $100,000 by Apple under their Apple Security Bounty program.
The Sign in with Apple works similarly to OAuth 2.0. There are two possible ways to authenticate a user by either using a JWT (JSON Web Token) or a code generated by the Apple server. The code is then used to generate a JWT.
The below diagram represents how the JWT creation and validation works. In the 2nd step, while authorizing, Apple gives an option to a user to either share the Apple Email ID with the 3rd party app or not. If the user decides to hide the Email ID, Apple generates its own user-specific Apple relay Email ID.
Depending upon the user selection, after successful authorization, Apple creates a JWT which contains this Email ID which is then used by the 3rd party app to login a user.