Apple Pays Hacker $100,000 For Finding Major Security Vulnerability
In 2019, Apple announced a Sign in with Apple option for
users who preferred not to share personal email addresses with the third-party
apps and services they use on their devices. The feature, which was announced
at WWDC as a way to protect user privacy, has since been compromised.
According to a report from iMore, security researcher Bhavuk
Jain recently discovered a critical flaw within the feature on iOS devices. If
exploited, the flaw would allow remote attacks from anyone looking to take over
third-party app accounts, including Spotify, Dropbox, and Giphy, from
unsuspecting victims. After finding the vulnerability, Jain reported it to
Apple through the company’s bug bounty program, and he has been awarded
$100,000 for his discovery.
Jain also broke down his findings in a blog post on his
website.
“I found a zero-day in Sign in with Apple that affected
third-party applications which were using it and didn’t implement their own
additional security measures,” he wrote.
“This bug could have resulted in a full account takeover of
user accounts on that third party application irrespective of a victim having a
valid Apple ID or not.”
“I found I could request JWTs for any Email ID from Apple
and when the signature of these tokens was verified using Apple’s public key,
they showed as valid. This means an attacker could forge a JWT by linking any
Email ID to it and gaining access to the victim’s account.”
Apple has since patched the flaw and assured users that
there was no previous misuse or account takeovers caused by the bug.
This isn’t the first time Apple has reached into its pockets
to compensate folks for finding and reporting bugs in its software. In 2019,
the company paid a teenage boy, 14-year-old Grant Thompson, for bringing a
FaceTime bug to its attention, as previously reported by The Inquisitr.
Before being patched by Apple, the bug could have been
triggered through the FaceTime app by using the Group FaceTime feature. The
vulnerability allowed callers to tap in and listen to the surroundings or
conversations of anyone they’re trying to call, even if the other person opted
to ignore the call. There were also cases of callers gaining access to the
cameras of some users.
Over the years, these bug bounty programs have become
standard across the tech industry. Apple currently offers up to $200,000 in
cash awards via its bounty program, which was officially introduced in 2016.
Comments
Post a Comment