-
01 Jun 2020
-
Bhavuk Jain, a techie hailing from Delhi, has bagged $100,000(Rs. 75.50 lakh) bug bounty from Apple
Jain had flagged a critical security defect in the Cupertino giant’s ‘ Check In with Apple‘ system, a problem that, he says, might have permitted hackers to take complete control of accounts on third-party apps and services.
Here is all you need to know about it.
-
Initially, a fast recap of ‘Check in with Apple’
-
Back in June 2019, Apple debuted ‘Sign in with Apple’ as a ‘more private’ alternative for Facebook, Google’s fast social login alternatives.
The feature authenticated users through their Apple ID email and likewise offered an option to develop a dummy email.
Naturally, people liked the idea of signing in through Apple and not giving away their data to Google and Facebook.
-
So, what went wrong?
-
Months later on in 2020, Jain discovered that if a third-party app did not have its own security measures, an opponent might create the authentication token linked to any Apple ID email and validate it as ‘valid’ using the company’s public key.
This, he found, opened access to the target’s account on the app in question, even in cases when a dummy email was utilized.
-
Concern fixed through server-side modifications
-
Following the discovery, Jain reported the concern to Apple and the business pressed a server-side upgrade to patch it up.
The researcher claims that the Cupertino giant performed an internal investigation of the issue and determined that the flaw was not made use of to compromise any account on any app/website.
After releasing the fix, Apple paid him the significant bug bounty.
-
Apple should have detected the flaw sooner
-
Though the issue has been mitigated, lots of are wondering