Developer scores $100,000 bounty from Apple for exposing a critical vulnerability
Apple ID bug would allow hackers to take control of a user’s account
Apple awarded $100,000 to Bhavuk Jain for identifying a security vulnerability in the "Sign in with Apple" feature found on some websites and third-party applications. Hackers could use the bug to take control of a user's account.
Apple's servers use a JSON Web Token, which can contain the user’s Apple ID email address, to verify a user account during the “Sign in with Apple” process.
Jain discovered he could request a JSON Web Token for a real Apple account, and the signature would be verified each time. With an email address connected to an Apple ID, a hacker could to get a validated token and access the account.
Apple reviewed server logs during the patching process and determined the flaw had not been exploited. Accounts using two-factor authentication are less likely to be vulnerable to this bug.
This allows companies to patch flaws before they are made public for a fraction of the cost of fixing hacks post-mortem. Companies pay the most substantial bounties for exposing serious vulnerabilities.
BIOS security: The next frontier for endpoint protection
Today’s threats upend traditional security measuresDownload now
The role of modern storage in a multi-cloud future
Research exploring the impact of modern storage in defining cloud successDownload now
Enterprise data protection: A four-step plan
An interactive buyers’ guide and checklistDownload now
The total economic impact of Adobe Sign
Cost savings and business benefits enabled by Adobe SignDownload now