If you ever tried to sign in with Apple, then you are vulnerable to account takeovers.
What are we talking about
A security researcher spotted a critical vulnerability and reported it immediately to Apple, but before finding the issue, how many were already affected? Remote attackers could take over any targeted user accounts on third-party services and apps.
The company's Sign in with Apple feature, which was launched at WWDC 2019, gave the users the option to log in to third-party apps, websites, and more by only using their Apple ID. The feature also helped protect users' privacy as they can use its "hide my email" function to withhold their emails from sites and apps.
An independent security researcher named Bhaavuk Jain discovered the bug in Sign in with Apple on May 30 when Apple paid him $100,000 for a bug bounty after disclosing the bug to the company promptly. Jain explained the bug's severity; thankfully, the bug is now patched, and it's now safe to use.
Jain said this on his blog post, "The impact of this vulnerability was quite critical as it could have allowed full account takeover. Many developers have integrated Sign in with Apple since it is mandatory for applications that support other social logins. To name a few that use Sign in with Apple - Dropbox, Spotify, Airbnb, Giphy (Now acquired by Facebook). These applications were not tested but could have been vulnerable to a full account takeover if there weren't any other security measures in place while verifying a user."
Just how could this been used against Apple users
Besides a full account taking over, remote attackers could infiltrate your social media, essential files, and other sensitive information you want to keep hidden. The Sign-in with Apple system works just like OAuth 2.0, and users can be authenticated in two ways, like JSON Web Token or JWT, or a code generated by the company's server created a JWT.
Jain was first to discover that he can request JWTs for any Email ID from Apple, and when the signature of the tokens was verified using Apple's public key, it confirms it is valid. The result can be that an attacker would forge a JWT by linking and Email ID to it and grant access to the victim's linked accounts.
Just right after Jain submitted his discovery to Apple, the company immediately went on an investigation of its logs, and thankfully, no misuse or account compromise exploited the said vulnerability. Jain is a hero for Apple users because sooner or later, potential hackers would be able to figure out what he did and, worse, use it to their benefit.
The good thing is that Jain was able to bring it to Apple before zero-day, which means that the vulnerability would be discovered, and possibly hundreds or thousands of users would be affected before fixing the exploit.