An enormous security gap was discovered by a bug bounty hunter in India that cost Apple a round sum of $100,000 from its special “Apple Bug Bounty Fund” .
The bug, which due to its magnitude should more appropriately be deemed a titan beetle, had to do with the popular ‘Sign In With Apple’ feature.
Zero-day in Sign in with Apple – bounty $100khttps://t.co/9lGeXcni3K
— Bhavuk Jain (@bhavukjain1) May 30, 2020
The feature is available on a variety of different websites and in different apps. And it allows users to sign in using their Apple ID, which in theory would have provided them with a higher level of security. ‘Sign In With Apple’ essentially offers Apple users to create and log into accounts on a wide range of platforms whilst allegedly benefiting from the fact that their personal details are better shielded.
But as it turns out, nothing could be farther away from the truth.
Apple Bug Bounty Hunter From India – Bhavuk Jain
What the bug bounty hunter from India revealed was that basically anyone in possession of your email address could also gain access to said personal details. And all it would take was a basic request to the Apple ID servers, which would in turn send a token.
This token would then be verified by the Apple ID servers, and with that anyone would be instantly granted access to any account linked to your Apple ID.
The bounty hunter who detected the bug is actually well-known and respected in the industry. His name is Bhavuk Jain, and this certainly wouldn’t be the first security issue he identified. Jain has previously found issues with social media giants Facebook, Pinterest and even Google.
Thankfully, however, since the issue was reported and since Jain received his bounty, Apple was quick to act on the problem and fix it. You can find more about the security vulnerability here.