Security researcher Bhavuk Jain found a zero day vulnerability with Sign In with Apple in April. Apple has already patched it but details are only coming out now. Mr. Jain was awarded US$100,000 as part of the Apple Security Bounty program.
Sign In with Apple Zero Day
If exploited, the vulnerability would have let an attacker take over a person’s Sign In with Apple account on a website even if that person didn’t have an Apple ID. Sign In with Apple relies on either a code generated by Apple’s servers or a JSON Web Token (JWT).
When a person creates an account on a website or app using Sign In with Apple, they sometimes have the option to hide their email. When the email is hidden Apple creates a private relay to forward emails to the person’s real address. Apple creates a JWT containing the email ID used by the third party.
I found I could request JWTs for any Email ID from Apple and when the signature of these tokens was verified using Apple’s public key, they showed as valid. This means an attacker could forge a JWT by linking any Email ID to it and gaining access to the victim’s account.
Apple’s investigation into the issue didn’t find any examples where this attack was actually exploited in the wild.