The Security Flaw That Almost Knocked Apple Off Its Perch

By Felix Okendo

A flaw discovered this spring within Apple Inc.’s “Sign in With Apple” feature by an India-based developer brought him $100,000 through the company’s Security Bounty Program, part of an industry genre known as “bug-bounty programs.”

“Bug-bounty programs are likely becoming an important best practice for a widening swath of industries,” Graham Dufault, senior director for public policy at ACT-The App Association in Washington, told Digital Privacy News.

Such programs offer rewards to researchers for discovering and reporting bugs in software and hardware. In most cases, the flaws are related to vulnerabilities and exploits in the products — and companies pay well for the discoveries.

Apple, which later repaired the bug — discovered in March by Bhavuk Jain — after determining that no compromises or data misuse had occurred, did not return requests for comment. 

While these programs prove useful in enhancing security, experts warned they might not be effective in protecting user privacy.

“Bug-bounty programs are likely becoming an important best practice for a widening swath of industries.”

Graham Dufault, ACT-The App Association, Washington.

“A bug bounty is mostly focused around security and no privacy,” Omair Manzoor, CEO and founder of the ioSENTRIX cybersecurity firm in Sterling, Va., told Digital Privacy News.

“Sometimes, due to security concerns, we do find issues that uncover underlying privacy-related problems,” he added. “I haven’t seen any privacy-focused bounty hunting yet.”

The Bug

However, Jain, 27, discovered a sophisticated bug in Sign in With Apple (SIWA) that made accounts vulnerable to malicious users who could hijack accounts.

Jain also has uncovered vulnerabilities in Facebook, Google and Pinterest software.

The flaw, he told Digital Privacy News, occurred in SIWA’s authentication process. It involved an encrypted code — a JSON web token (JWT) — provided by Apple’s servers that was used to create the email ID needed to access accounts.

Hackers could exploit the bug to forge JWTs to create fake email IDs, he explained.

“I could request (JWTs) for email IDs that are from Apple,” Jain said. “When Apple’s public key verified these tokens’ signature, they were marked as valid.

“This implies that a hacker could forge the JWTs by linking email IDs to them and open up full access to their targets’ accounts.”

“A bug bounty is mostly focused around security and no privacy.”

Omair Manzoor, ioSENTRIX cybersecurity firm

Jain noted that Apple had required all apps to include SIWA if they wanted to be included on iPhones.

App developers, therefore, had no choice — and all apps or websites that integrated SIWA, but lacked a strong security system, were vulnerable to “full user-accounts takeover,” Jain told Digital Privacy News.

The flaw was sophisticated to users — but easy on the hacker’s end, he said — because it could allow the full takeover of user accounts once a hacker had an email ID.

“What if, I say, your email ID is all I need to take over your account on your favorite website or an app?” Jain posed. “Sounds scary, right?

“This is what the bug in Sign in With Apple allowed me to do.”

No Privacy-Focused Programs

Companies invest top dollars in bug-bounty programs. Microsoft, for instance, disclosed last month that it had paid $13.7 million in bug bounties over the past year, to more than 300 hunters across six continents.

The figure was more than three times the $4.4 million the company paid out over the previous 12-month period.

“What if, I say, your email ID is all I need to take over your account on your favorite website or an app? Sounds scary, right?”

Bhavuk Jain, 27, developer who discovered Apple’s flaw.

But new privacy laws could change that, ACT’s Dufault said, referencing the California Consumer Privacy Act, Europe’s General Data Protection Regulation and various state regulations.

“It will be interesting to see how companies handle compliance,” he told Digital Privacy News.

“A patchwork of such laws would probably lead to conflicting — or, at least, inconsistent — requirements.

“This may force companies,” Dufault observed, “to pump a lot of funds and resources in developing and maintaining compliance programs that are not well-balanced to address shifting consumer privacy expectations, as well as product and service development — all at the same time.”

Felix Okendo is a writer in Nairobi, Kenya.

Sources (external links):