Just In
-
-
-
-
Don't Miss
-
Pavi Caretaker Box Office Collection Day 1 Prediction: Dileep's Movie Expected To Open Strongly -
Who Won Yesterday's IPL Match 41? SRH vs RCB, IPL 2024 on April 25: Royal Challengers Bangalore End Losing Streak -
Bajaj Group Stock Declares Rs. 60/Share Dividend: Buy Ahead of Record Date On 28 June? -
MEA Dismisses US Human Rights Report On Manipur As 'Biased And Misinformed' -
Royal Enfield Unveils Revolutionary Rentals & Tours Service: Check Out All Details Here -
AICTE introduces career portal for 3 million students, offering fully-sponsored trip to Silicon Valley -
Heeramandi Screening: Alia Bhatt, Ananya Panday, Rashmika Mandanna And Others Serve Finest Ethnic Style! -
Escape to Kalimpong, Gangtok, and Darjeeling with IRCTC's Tour Package; Check Itinerary
Indian Security Researcher Wins Rs. 75 Lakhs For Finding Flaw In Apple Sign In
An Indian security researcher named Bhavuk Jain just received a huge check worth Rs. 75,00,000 ($100,000) from Apple under a bug bounty programme. He discovered a critical vulnerability in the sign-in process with Apple, here are the details.
According to the reports, the vulnerability would allow hackers to log in to the user's account who used Apple's sign in with apple feature for authentication. This is now considered as a zero-day vulnerability and the company has already fixed the issue. Before fixing the issue, Apple did investigate the case to ascertain if there were any misuse of this bug and found none.
A zero-day vulnerability is something that has zero days gap between the time of vulnerability discovered and the first attack. And now, it looks like this susceptibility has not been misused by anyone. This bug could have caused major cybercrime, where Apple users could have had lost their control over apps and services like Facebook, Spotify, Dropbox, Giphy, and Airbnb.
A user can authenticate using Sign up with Apple by using JWT (JSON Web Token) or a code generated by the Apple server, which was again used to generate JWT. In the second step of the process, a user has an option to share or not to share Apple ID with the app developer.
If a user chose the second option, the system would automatically generate another user-specific Apple relay ID. The JWT code generated by Apple contains this email ID, which can be used to login to an app. Not just that, Jain also found out that the JWTs can be requested to any email ID and when the signature was verified by Apple's public key.
This feature would allow an attacker to forge JWT by linking the e-mail ID letting access to a user account without actually having the credentials, which could lead to a full account takeover. The company resealed Sign-up with Apple feature in 2019 to offer more discreet login option to third-party apps. A lot of apps have opted for this feature, offering users an easy sign-up process.
Bhavuk Jain in a statement said that "the bug could have resulted in a full account takeover of user accounts on that third-party application irrespective of a victim having a valid Apple ID or not and Apple paid $100,000 under Apple Security Bounty program". Jain is a full-stack mobile application developer by profession and a full-time bug-bounty hunter, trying to make the internet a safer place for everyone.
-
99,999 -
1,29,999 -
69,999 -
41,999 -
64,999 -
99,999 -
29,999 -
63,999 -
39,999 -
1,56,900
-
79,900 -
1,39,900 -
1,29,900 -
65,900 -
1,56,900
-
1,30,990 -
76,990 -
16,499 -
30,700 -
12,999
-
11,999 -
16,026 -
14,248 -
14,466 -
26,634 -
18,800 -
62,425 -
1,15,909 -
93,635 -
75,804
