Apple rewards Indian man $1,00,000 for discovering zero-day vulnerability

Since Apple made it mandatory for apps that did not support third-party logins, many developers have made use of the “sign in with Apple” service for their apps. This is where the bug was discovered.

A new zero-day vulnerability was recently pointed out in Apple's "sign in with Apple" authentication page. The man from Telangana, India now claims to have been paid $100,000 (about Rs 75 lakh) by the US-based tech giant under its Security Bounty program. Also Read - Get customised Apple MacBooks, iMac in India now

The vulnerability affects third-party apps that use Apple's authentication, but do not have any security measures of their own. Once exploited, the vulnerability would allow attackers to take full control over user accounts on third-party applications. Also Read - Google CEO Sundar Pichai is open to work with Apple on other projects

Watch: Weekly News Roundup - May 29

Also Read - Apple starts mass production of the new AirPods Studio; could be announced at WWDC

Bhavuk Jain, the programmer, also added as per a report by LiveMint that Apple conducted an investigation of its logs after discovering the vulnerability and found that it had not been misused and that no accounts were compromised because of it. Jain further explains in his blog that the "sign in with Apple" function works similar to Oauth 2.0, by authentication a user by either using a JWT or a code generated by Apple's own server.

Jain discovered that attackers could actually forge a JWT by linking any Email ID to it and gain access to a user's app account. The attackers could have requested JWTs for any Email ID from Apple. Further, when the signature of these tokens were verified using Apple's public key, they showed as valid.

Sign in with Apple

Since Apple made it mandatory for apps that did not support third-party logins, many developers have made use of the "sign in with Apple" service for their apps. The feature allows users to sign in to apps and websites by using their Apple IDs instead of their social media IDs.

The service became instantly popular. Unlike various third-party sign-ins, Apple's authentication allowed users the option to not share their Email IDs, instead of generating a random Email ID for them. This helped strengthened user privacy by making sure that the real Email IDs did not fall into the wrong hands. This also made users browsing through the web feel less exposed.

For the latest tech news across the world, latest PC and Mobile games, tips & tricks, top-notch gadget reviews of most exciting releases follow BGR India’s Facebook, Twitter, subscribe our YouTube Channel.

Published:Sun, May 31, 2020 5:39pm



More From News

NewsApple could launch iPhone 12 series in two phases this year
NewsMicrosoft Edge now the second most popular web browser, says study
NewsMicrosoft Surface Duo battery could last through the day
NewsiQOO 5 Series with support for ultra-fast 120W charging to launch on August 17
NewsHuawei Mate 40 series leaks: Check out its design and display in full glory

More From Bgr

Brand SolutionAugust 5, 2020 - Samsung Is Going All Out with Its Galaxy Unpacked Virtual Event & Here’s What We Know So Far
Brand SolutionHONOR MagicBook 15: Is it the best all-rounder laptop under Rs 50K?
GamingRealme Smart TV sale today at 12PM: Price in India, offers, features and more
How ToHow to download and install Raksha Bandhan WhatsApp stickers easily
WearablesNoise Colorfit Nav smartwatch launched in India: Check details



Latest Videos

More Videos

Explore more