Sign in with Apple—a privacy-enhancing tool that lets users log into third-party apps without revealing their email addresses—just fixed a bug that made it possible for attackers to gain unauthorized access to those same accounts.
“In the month of April, I found a zero-day in Sign in with Apple that affected third-party applications which were using it and didn’t implement their own additional security measures,†app developer Bhavuk Jain wrote on Sunday.
Sign in with Apple debuted in October as an easier and more secure and private way to sign into apps and websites.
Faced with a mandate that many third-party iOS and iPadOS apps offer the option to sign in with Apple, a host of high-profile services entrusted with huge amounts of sensitive user data use adopted it.
The sign-in service, which works similarly to the OAuth 2.0 standard, logs in users by using either a JWT—short for JSON Web Token—or a code generated by an Apple server.
Apple gives users the option of sharing the Apple email ID with the third party or keeping the ID hidden.
When users hide the ID, Apple creates a JWT that contains a user-specific relay ID.
UK
Australia
France
Germany
Russia
India
Canada