Stories
Slash Boxes
Comments

SoylentNews is people

White Hat Demonstrates Apple's (Lack of) Security Prowess

posted by Fnord666 on Monday June 01 2020, @01:04PM   Printer-friendly
from the OAuth2-isn't-that-hard dept.

JoeMerchant writes:

What if I say, your Email ID is all I need to takeover your account on your favorite website or an app. Sounds scary, right? This is what a bug in Sign in with Apple allowed me to do.

When Apple announced Sign in with Apple at the June 2019 worldwide developers conference, it called it a "more private way to simply and quickly sign into apps and websites." The idea was, and still is, a good one: replace social logins that can be used to collect personal data with a secure authentication system backed by Apple's promise not to profile users or their app activity.

One of the plus points that got a lot of attention at the time was the ability for a user to sign up with third-party apps and services without needing to disclose their Apple ID email address. Unsurprisingly, it has been pushed as being a more privacy-oriented option than using your Facebook or Google account.

Fast forward to April 2020, and a security researcher from Delhi uncovered a critical Sign in with Apple vulnerability that could allow an attacker to potentially take over an account with just an email ID. A critical vulnerability that was deemed important enough that Apple paid him $100,000 (£81,000) through its bug bounty program by way of a reward.

Considering the level of embarrassment possible for basically leaving the front door unlocked, I'd say the reward was on the light side.

I found I could request JWTs for any Email ID from Apple and when the signature of these tokens was verified using Apple's public key, they showed as valid. This means an attacker could forge a JWT by linking any Email ID to it and gaining access to the victim's account.

Original Submission

 
This discussion has been archived. No new comments can be posted.
White Hat Demonstrates Apple's (Lack of) Security Prowess | Log In/Create an Account | Top | 26 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 2) by JoeMerchant on Tuesday June 02 2020, @12:49PM (4 children)

    by JoeMerchant (3937) on Tuesday June 02 2020, @12:49PM (#1002155)

    Ah... seems like weak sauce to start with, but I see the commercial appeal. Craigslist and others have been doing similar things for a long time, but as a single server not an Oauth type stand-off.

    Seems like anyone wanting to anonymize their e-mail communication with a 3rd party should just make a binary choice: anonymize yes/no? If yes, they shouldn't have anything to do with selection of the ID used to carry e-mails.

    --
    🌻🌻 [google.com]
    Starting Score:    1  point
    Karma-Bonus Modifier   +1  
    Total Score:   2  

  • (Score: 2) by TheRaven on Tuesday June 02 2020, @04:20PM (3 children)

    by TheRaven (270) on Tuesday June 02 2020, @04:20PM (#1002210) Journal
    They don't, at the UI level. The UI says 'share your email address, yes / no'. This is implemented by a form submission that passes either the user's email address or a one-shot one (which was generated when the page was generated) back to Apple. Apple trusted the form submission from this page because they generated it and forgot that the client could tamper with it.
    --
    sudo mod me up

    • (Score: 2) by JoeMerchant on Tuesday June 02 2020, @04:35PM (2 children)

      by JoeMerchant (3937) on Tuesday June 02 2020, @04:35PM (#1002216)

      Assumption #2 in security: anything that can be tampered with, will be.

      I just finished an impromptu review of our software update functionality - had a request to try to use it as a backdoor to exfiltrate information to USB stick, that wasn't in the original design spec, but it seemed like something as powerful as a software update mechanism might be able to pull it off: if the user/attacker had the proper update signing key. Unfortunately for those hoping for a quick-fix to the problem du-jour, it appears that the software update function, as implemented, cannot be twisted to effectively become an arbitrary file export to USB mechanism unless it is actually used via its intended function: to update the device software.

      Bottom line: in an ideal implementation, software only does what it was designed to do, nothing more. Any unintended functional scope is a potential security hole.

      --
      🌻🌻 [google.com]

      • (Score: 2) by TheRaven on Tuesday June 02 2020, @05:28PM (1 child)

        by TheRaven (270) on Tuesday June 02 2020, @05:28PM (#1002247) Journal
        In Apple's defence, the email address is untrusted in their model. It's not the unique ID, so if you do tamper with it and the service is correctly implemented then all you can do is make it send emails containing your data to the wrong person. It's a combination of Apple's bug and other people using the wrong identifier as the client ID that causes this problem. If people used the Apple APIs correctly, the Apple bug wouldn't allow you to log in as someone else, it would just allow you to send password recovery emails to the wrong person. From Apple's perspective, the only person you can attack is yourself. Unfortunately, security usability is a real thing and the easiest way of using Apple's API was incorrectly, using the email address (which may change between logins) as the unique ID.
        --
        sudo mod me up

        • (Score: 2) by JoeMerchant on Tuesday June 02 2020, @05:52PM

          by JoeMerchant (3937) on Tuesday June 02 2020, @05:52PM (#1002261)

          Hang on, I've heard this one before:

          the easiest way of using Apple's API was incorrectly

          You're holding it wrong!

          --
          🌻🌻 [google.com]