Sign in with Apple—a privacy-enhancing tool that lets users log into third-party apps without revealing their email addresses—just fixed a bug that made it possible for attackers to gain unauthorized access to those same accounts.
“In the month of April, I found a zero-day in Sign in with Apple that affected third-party applications which were using it and didnt implement their own additional security measures,” app developer Bhavuk Jain wrote on Sunday. “This bug could have resulted in a full account takeover of user accounts on that third party application irrespective of a victim having a valid Apple ID or not.”
Jain privately reported the flaw to Apple under the companys bug bounty program and received a hefty $100,000 payout. The developer shared details after Apple updated the sign-in service to patch the vulnerability.
Sign in with Apple debuted in October as an easier and more secure and private way to sign into apps and websites. Faced with a mandate that many third-party iOS and iPadOS apps offer the option to sign in with Apple, a host of high-profile services entrusted with huge amounts of sensitive user data use adopted it.
Instead of using a social media account or email address, filling out Web forms, and choosing an account-specific password, iPhone and iPad users can tap an button and sign in with Face ID, Touch ID, or a device passcode. The bug opened users to the possibility their third-party accounts would be completely hijacked.