—Sign in with Apple— is potentially more private than other login
options, but it apparently included a serious security flaw. Researcher
Bhavuk Jain recently received a $100,000 bug bounty for discovering (via
Hacker News) a flaw in the sign-in service when available through
third-party apps. If an app didn—t have its own security measures, an
attacker could forge a token linked to any email ID and verify it as
—valid— using Apple—s public key. That could allow a —full
account takeover— even if you chose to hide your email from other
services, Jain said.

Jain found the flaw in April, and it—s already fixed. Apple said there
was no evidence of accounts being compromised as a result of the flaw. …



Source link

You must be logged in to post a comment.