Apple has a serious safety chuck in his logon service "sign in with apple" closed, through which an attacker could take over the identity of any user registered user-registered user. The IT security specialist bhavuk jain discovered the lucke and reported her to apple, for whom he received a reward, reported the hacker news.
Identity in tokens not compared
The LUCKE allows an attacker to authenticate to a service or an app that is back to the apple logon service as an arbitrary user. Thus, the attacker was able to act within the service or the app as this user, so take the external apple account within this context complete. Jain reported the vulnerability discovered in april at apple and got within the company’s bow-bounty program of 100.000 US dollar reward disbursed.
After the authentication is completed with the apple logon server, an exchange between the service or the APP of the third-party provider and the apple server uber JSON web tokens begins so that the identity support is also transmitted to the third-party provider. In this case, jain of modified tokens with a foreign identity (a potential sacrifice) could show themselves and spend themselves against the third-party provider than this identity because apple did not check whether the originally authenticated users and the user activity in the tokens will explain the hacker news.
The procedure also worked if the apple identity was hidden to the third-party provider and even if a new apple user identity was created with the application. Jain points out that third-party providers who add a second method for authentication (2-factor authentication), which would probably not be affected by the problem of apple login service (2-factor authentication).
Fixed errors in apple’s code
Apple has closed the cheeks before known. The error was solely in the code of apple, not in the third-party implementation. According to the company’s statement, after evaluation of the server logs, no case has been discovered in which this vulnerability was used to accept the identity of a user unauthorized.
Apple 2019 presented login alternative to similar services from google and facebook (german designation: "with apple") should provide a convenient and especially secure authentication method for apple users who do not want to create a separate user account for each app. Since autumn 2019, apps must implement the service in apple’s app stores if you already use comparable services of competitors.