‘Sign in with Apple’: Apple Paid $100,000 to an Indian Security Researcher for Discovering a Vulnerability


Apple Inc., the world leading tech giant popularly known for its iPhones released a new way of signing in to your apps and websites with a secure ‘Sign in with Apple’, in June last year at the worldwide developers conference.

It was an innovative idea that secures user’s information from being collected by third party apps allowing users to sign in using Apple’s unique authentication system.

Often when you log in to apps and websites, you’re required to create a new account. However, you might find towards the bottom of the page, options such as ‘Sign in with Google’ or ‘Facebook’. In most cases, the third party apps or websites are integrated with the login platform allowing you to use the same credentials for your email or social media accounts. This might be convenient for some, but it comes with a lot of risks and potential hack.

Surprisingly, Apple developed its ‘Sign in with Apple’ option without integrating with the apps, allowing user information to be safe with Apple.

We all are aware how Apple prioritizes the security of its users and goes above and beyond by rewarding any wizard who spots and patches any vulnerabilities through their Bug Bounty Program.

One such case surfaced when a security researcher from Delhi, India discovered a vulnerability in the Apple’s sign in system that could allow a hacker to potentially take over an apple account just by using the user’s email address.

Bhavuk Jain, published his security shocker on May 30th 2020 on his blog site, allowing Apple to patch the vulnerability quickly. Here’re the two reasons why the secure sign in by Apple was not so secure:

One, the Indian geek discovered that the authentication code could be requested for any email address from Apple and can be verified using Apple’s public key.

Second, it could allow any hacker to forge a token linked to that email address further giving access to the user’s account. Jain suggested that not disclosing a user email address to the third-party’s app server wouldn’t have helped prevent the issue.

In the month of April, I found a zero-day in Sign in with Apple that affected third-party applications which were using it and didn’t implement their own additional security measures. This bug could have resulted in a full account takeover of user accounts on that third party application irrespective of a victim having a valid Apple ID or not.“, Jain posted on his blog.

Conclusively, Jain said that Apple conducted an internal investigation and found that no user accounts were compromised and that the issue was fixed before any unusual incidents occurred.