Apple under its Security Bounty Programme have had to reward an Indian Bug Hunter for discovering a bug in the signing-in process that used Apple ID.
The Indian Developer by name – Bhuvak Jain, spotted a bug that could let any hacker break into an Apple user’s account through a log-in flaw into third-party apps.
Much has been made of iOS devices and it’s stiff resistance to takeover threats but Bhavuk Jain was able to spot a vulnerability that would let any hacker break into Apple user’s accounts who logged into third-party apps like Dropbox, Spotify, Airbnb, and Giphy (now acquired by Facebook) and more
Though, Apple confirmed that there was no noticeable misuse of the bug and that no accounts were compromised, the bug was related to the process that allowed an iPhone or Mac user to use the Apple ID to log into a third-party website.
“In the month of April, I found a zero-day in Sign in with Apple that affected third-party applications which were using it and didn’t implement their own additional security measures. This bug could have resulted in a full account takeover of user accounts on that third party application irrespective of a victim having a valid Apple ID or not,” Jain wrote on his blog.
The bug, Jain said, was quite critical as it allowed a full account takeover if there weren’t any security measures in place while verifying a user. Sign In With Apple is mandatory for applications that support other social logins, such as those offered by Google or Facebook.
Sign In With Apple was launched in 2019 for more privacy focussed logins for iOS users and third-party apps and works similar to OAuth 2.0.
However, Apple through its Security bounty program have had to shell out a handsome amount – reportedly, $100,000 for such timely information when the world is in a major pandemic and victims of major brute attacks from hackers and fraudsters.
Nowadays, all big tech companies run bug-bounty programmes where they award money to people who find security bugs or flaws in their services and applications.
Apple meanwhile will be hoping this is the very last of its kind though as any major flaw as this again, their user data might not go unscathed.
Originally Posted On NaijaTechGuy
No comments:
Post a Comment