Apple just paid a developer with a $100,000 bounty. The researcher received the reward for patching a bug with the Apple sign-in system.
A Twitter post revealed that the Cupertino tech giant paid a developer with a large amount of money. This came as a reward after the researcher found the answer to a growing problem that Apple users face.
The Twitter update surfaced the internet last week. It came with a screenshot of a message from the tech giant.
— Bhavuk Jain (@bhavukjain1) May 24, 2020
The update described the screenshot as the user’s first 6-digit bounty from Apple. The post added that a blog post on the story will follow this week.
The message on the screenshot said that the recipient qualified for the Apple Security Bounty. It further stated that the user is awarded $100,000 for reporting the issue.
The Tweet came from Bhavuk Jain with Twitter handler @bhavukjain1, a GitHub programmer as his profile says. The post continues to gain online attention and has been retweeted almost 400 times with more than 3,000 reactions.
Sign in with Apple ID faced a serious risk
The issue that the developer reported to the tech giant was about a bug. Jain discovered that users are at high risk of vulnerability with the login system.
The developer found out that through the sign in with the Apple system, malicious actors can intrude and take over one’s account. He discovered that Apple lacks a certain validation with the authentication.
Last year Apple released the sign in with the Apple ID system. Its purpose is to reduce the tracking amount enabled by login services.
It limited the amount of a user’s email exposure to third party apps. Through the system, the user no longer needed to enter the entire email address.
How the Sign in with Apple ID bug works
Sign in with the Apple system works by generating code from Apple servers. The code called JSON Web Token (JWT) is necessary to authorize a user.
If a user chooses the option to share own Apple ID with an app, Apple automatically creates an email ID for the specific user. The email ID is generated through the JWT and will be essential for user login.
Jain found out that he could request multiple JWTs for any email ID. He said in a statement that after verification, all of his requested JWTs were valid.
He clarified that this means that the Apple system is not validating if the person logging in using the Apple ID and the one requesting JWT is the same. He added that this is a serious risk since hackers can exploit the bug and gain full account access.
Apple confirmed that it had patched the vulnerability. The tech giant assured that the sign in with the Apple ID system is safe to use once again.
Image courtesy of John Swindells/Flickr