The same login feature that Apple introduced last year to protect privacy could have been abused to hack into third-party applications on an iPhone, a security researcher has found.
The discovery earned New Delhi-based programmer Bhavuk Jain $100,000, he said, highlighting the critical nature of the flaw and the big payouts Apple has been offering through a bug bounty program it expanded last year.
Jain figured out how to generate a login token for an Apple ID and use it to access third-party apps with lax security. Manipulating the tokens at their source was all Jain needed to access the apps.
The research comes a year after Apple unveiled the “Sign in with Apple” feature, which authenticates users on apps without disclosing their Apple IDs. Apple has touted it as a more privacy-conscious alternative to requiring users to log in to apps through their social media accounts.
Jain did not detail the types of apps he could’ve accessed, but the sign-in feature is increasingly popular with app developers, he said. “A lot of developers have integrated ‘Sign in with Apple’ since it is mandatory for applications that support other social logins,” Jain wrote in a blog discussing his findings. Apple didn’t find any evidence of real-world hacks that had exploited the vulnerability, he said.
It’s the kind of critical bug that Apple will pay big money to researchers to track down. Last month, another security researcher revealed a hack of an iPhone camera and microphone that bagged him $75,000.
An Apple official confirmed that the company had paid Jain $100,000 for the bug and fixed the issue.
In addition to the authentication tokens that support it, an Apple ID itself can be valuable information for an attacker. A Google researcher in January detailed how, armed only with a target’s Apple ID, he could remotely compromise an iPhone to steal text messages and other data.