Finding Serious 'Sign In with Apple' Hole Earns Security Researcher a $100,000 Bug Bounty (forbes.com) 21
An anonymous reader quotes Forbes:
When Apple announced Sign in with Apple at the June 2019 worldwide developers conference, it called it a "more private way to simply and quickly sign into apps and websites." The idea was, and still is, a good one: replace social logins that can be used to collect personal data with a secure authentication system backed by Apple's promise not to profile users or their app activity... Unsurprisingly, it has been pushed as being a more privacy-oriented option than using your Facebook or Google account.
Fast forward to April 2020, and a security researcher from Delhi uncovered a critical Sign in with Apple vulnerability that could allow an attacker to potentially take over an account with just an email ID. A critical vulnerability that was deemed important enough that Apple paid him $100,000 through its bug bounty program by way of a reward. With the vulnerability already now patched by Apple on the server-side, Bhavuk Jain published his disclosure of the security shocker on May 30.
It applied "only to third-party apps which used Sign in with Apple without taking any further security measures," the article points out , adding that the researcher who found it "said Apple carried out an internal investigation and determined that no account compromises or misuse had occurred before the vulnerability was fixed."
But they also quote an SME application security lead at ImmersiveLabs who said he "would have expected better testing around this from a company such as Apple, especially when it is trying to set itself a reputation as privacy-focused."
Fast forward to April 2020, and a security researcher from Delhi uncovered a critical Sign in with Apple vulnerability that could allow an attacker to potentially take over an account with just an email ID. A critical vulnerability that was deemed important enough that Apple paid him $100,000 through its bug bounty program by way of a reward. With the vulnerability already now patched by Apple on the server-side, Bhavuk Jain published his disclosure of the security shocker on May 30.
It applied "only to third-party apps which used Sign in with Apple without taking any further security measures," the article points out , adding that the researcher who found it "said Apple carried out an internal investigation and determined that no account compromises or misuse had occurred before the vulnerability was fixed."
But they also quote an SME application security lead at ImmersiveLabs who said he "would have expected better testing around this from a company such as Apple, especially when it is trying to set itself a reputation as privacy-focused."
Sales Pitch (Score:3)
"But they also quote an SME application security lead at ImmersiveLabs who said he "would have expected better testing around this from a company such as Apple, especially when it is trying to set itself a reputation as privacy-focused.""
In other words, if they had used us to do their testing, we wouldn't have missed this bug.
Re: (Score:2)
"But they also quote an SME application security lead at ImmersiveLabs who said he "would have expected better testing around this from a company such as Apple, especially when it is trying to set itself a reputation as privacy-focused.""
In other words, if they had used us to do their testing, we wouldn't have missed this bug.
No, as in: They should have done better testing considering this is a security critical feature.
Re: (Score:1)
I'm just amused that he is surprised. Has he not paid any attention to Apple's long and sordid history of glaring security flaws? Only the fact that they make up such a tiny portion of the installed base has kept Mac users mostly free from attacks.
Re: (Score:2)
Well that is just general Apple Hate.
The predominance of Apple hardware to the number of hacks and pralblems that have gone out the the general public, is much smaller then what we have with Microsoft.
Re: LOL (Score:1)
Let's be honest here (Score:2)
Apple made a mistake in the implementation of their log-in feature, but fixed it. No harm done.
Google, Facebook and Twitter don't even try to hide the fact that they're trying to track everyone's moves on almost every fucking website on the planet.
Re: Let's be honest here (Score:1)
Re: (Score:2)
They've always claimed on-device encryption. Show me where they claimed to offer encrypted cloud storage.
And it's strange that you think you have no option to use their cloud platform, because I don't use it.
Today $100k bounty, tomorrow $1mil zero-day (Score:2)
It's well known the FBI and other organizations gets into iPhones by renting or purchasing zero-day exploits from hackers and re-sellers like Zerodium. They sell for millions when they are this severe and affect a product as well-used, rather than a mere 100k. That's as much as Apple spends for about 3-4 months of work of a security engineer at its corporate HQ.
For every hacker who takes the large bounty, there's ten more that sell on underground channels. Until bounties match what the exploit is worth
Re: (Score:2)
I doubt it would be that much paid toward a Gray/Black hat hacker.
A 100k bounty to white hats, is a good investment to make sure there is alternative fixes to the software. 1 million is often enough to fall under some of the pubic accounting even for those like the FBI and CIA. In which they will need to justify it to the pubic.
So you're a shoplifter? (Score:2)
There are a couple of assumptions there which may not be true.
You assume that most people have no integrity, that whomever is really good in this field is just ass happy to sell to criminals as to help humanity. That hasn't been my experience.
You assume that facing a 10-year prison sentence vs a great career boost makes no difference. I happen to work in this space I will tell you I very much want to go home to my family after work, not be in prison while my daughter grows up.
You'll note that shoplifting
Re: (Score:2)
Many of the hackers on HackerOne's platform are from areas where there is no chance of going to prison for cybercrime against US companies or, much of the population actively hates the US. Some hackers on HackerOne are based in Iran. Many others are based in Pakistan and Russia.
So no, I am not suggesting that if I, or any Western-based security researcher would ever make such a choice.
In line with Socrates
Re: (Score:2)
That's an interesting point. That's true, people justify their actions, and believe their justifications to varying degrees.
As to the general statement attributed to Socrates, I'll note that I've knowingly done wrong when temptation wqs great for some reason. Just last week a friend of mine committed a small fraud and he was ashamed when I expressed dissaproval - shame meaning he knew it was wrong. I suspect most people who cheat on their spouse know it's wrong, even if they 10% believe whatever justificat
Not a bad payout (Score:4, Insightful)
Re: (Score:2)
not being paid out
This happens to people?