IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Developer scores $100,000 bounty from Apple for exposing a critical vulnerability

Apple ID bug would allow hackers to take control of a user’s account

Fake ladybug on a circuit board

Apple awarded $100,000 to Bhavuk Jain for identifying a security vulnerability in the "Sign in with Apple" feature found on some websites and third-party applications. Hackers could use the bug to take control of a user's account.

Apple's servers use a JSON Web Token, which can contain the user’s Apple ID email address, to verify a user account during the “Sign in with Apple” process.

Jain discovered he could request a JSON Web Token for a real Apple account, and the signature would be verified each time. With an email address connected to an Apple ID, a hacker could to get a validated token and access the account. 

Apple reviewed server logs during the patching process and determined the flaw had not been exploited. Accounts using two-factor authentication are less likely to be vulnerable to this bug.

This type of hacking-for-pay is relatively common today. Apple and other tech companies use bounty programs to encourage white-hat hackers to uncover vulnerabilities in their software.

This allows companies to patch flaws before they are made public for a fraction of the cost of fixing hacks post-mortem. Companies pay the most substantial bounties for exposing serious vulnerabilities.

Featured Resources

Join the 90% of enterprises accelerating to the cloud

Business transformation through digital modernisation

Free Download

Delivering on demand: Momentum builds toward flexible IT

A modern digital workplace strategy

Free download

Modernise the workforce experience

Actionable insights and an optimised experience for both IT and end users

Free Download

The digital workplace roadmap

A leader's guide to strategy and success

Free Download

Recommended

HackerOne employee fired for using position to steal bug bounties
Security

HackerOne employee fired for using position to steal bug bounties

4 Jul 2022
LockBit 2.0 ransomware disguised as PDFs distributed in email attacks
Security

LockBit 2.0 ransomware disguised as PDFs distributed in email attacks

27 Jun 2022
Hackers use Linux backdoor on compromised e-commerce sites with software skimmer
malware

Hackers use Linux backdoor on compromised e-commerce sites with software skimmer

19 Nov 2021
Iranian hackers ramp up attacks against IT services sector
hacking

Iranian hackers ramp up attacks against IT services sector

19 Nov 2021

Most Popular

Actively exploited server backdoor remains undetected in most organisations' networks
cyber attacks

Actively exploited server backdoor remains undetected in most organisations' networks

1 Jul 2022
Former Uber security chief to face fraud charges over hack coverup
data breaches

Former Uber security chief to face fraud charges over hack coverup

29 Jun 2022
Why India wants to become a chipmaking powerhouse
components

Why India wants to become a chipmaking powerhouse

28 Jun 2022