Just In
- 12 hrs ago Elon Musk’s X Is Launching a TV App Similar to YouTube for Watching Videos
- 13 hrs ago Qualcomm Reveals Snapdragon X Plus Chip for Laptops: 10 Core CPU, On-Device AI, & Much More
- 13 hrs ago Flipkart Teases “Jaw-Dropping” Discount on iPhone 15: All-Time Low Price Anticipated
- 13 hrs ago President Joe Biden Signs Bill to Ban TikTok in the US: Unless This One Condition is Met
Don't Miss
- Movies Pavi Caretaker Box Office Collection Day 1 Prediction: Dileep's Movie Expected To Open Strongly
- Sports Who Won Yesterday's IPL Match 41? SRH vs RCB, IPL 2024 on April 25: Royal Challengers Bangalore End Losing Streak
- Finance Bajaj Group Stock Declares Rs. 60/Share Dividend: Buy Ahead of Record Date On 28 June?
- News MEA Dismisses US Human Rights Report On Manipur As 'Biased And Misinformed'
- Automobiles Royal Enfield Unveils Revolutionary Rentals & Tours Service: Check Out All Details Here
- Education AICTE introduces career portal for 3 million students, offering fully-sponsored trip to Silicon Valley
- Lifestyle Heeramandi Screening: Alia Bhatt, Ananya Panday, Rashmika Mandanna And Others Serve Finest Ethnic Style!
- Travel Escape to Kalimpong, Gangtok, and Darjeeling with IRCTC's Tour Package; Check Itinerary
Indian Security Researcher Wins Rs. 75 Lakhs For Finding Flaw In Apple Sign In
An Indian security researcher named Bhavuk Jain just received a huge check worth Rs. 75,00,000 ($100,000) from Apple under a bug bounty programme. He discovered a critical vulnerability in the sign-in process with Apple, here are the details.
According to the reports, the vulnerability would allow hackers to log in to the user's account who used Apple's sign in with apple feature for authentication. This is now considered as a zero-day vulnerability and the company has already fixed the issue. Before fixing the issue, Apple did investigate the case to ascertain if there were any misuse of this bug and found none.
A zero-day vulnerability is something that has zero days gap between the time of vulnerability discovered and the first attack. And now, it looks like this susceptibility has not been misused by anyone. This bug could have caused major cybercrime, where Apple users could have had lost their control over apps and services like Facebook, Spotify, Dropbox, Giphy, and Airbnb.
A user can authenticate using Sign up with Apple by using JWT (JSON Web Token) or a code generated by the Apple server, which was again used to generate JWT. In the second step of the process, a user has an option to share or not to share Apple ID with the app developer.
If a user chose the second option, the system would automatically generate another user-specific Apple relay ID. The JWT code generated by Apple contains this email ID, which can be used to login to an app. Not just that, Jain also found out that the JWTs can be requested to any email ID and when the signature was verified by Apple's public key.
This feature would allow an attacker to forge JWT by linking the e-mail ID letting access to a user account without actually having the credentials, which could lead to a full account takeover. The company resealed Sign-up with Apple feature in 2019 to offer more discreet login option to third-party apps. A lot of apps have opted for this feature, offering users an easy sign-up process.
Bhavuk Jain in a statement said that "the bug could have resulted in a full account takeover of user accounts on that third-party application irrespective of a victim having a valid Apple ID or not and Apple paid $100,000 under Apple Security Bounty program". Jain is a full-stack mobile application developer by profession and a full-time bug-bounty hunter, trying to make the internet a safer place for everyone.
-
99,999
-
1,29,999
-
69,999
-
41,999
-
64,999
-
99,999
-
29,999
-
63,999
-
39,999
-
1,56,900
-
79,900
-
1,39,900
-
1,29,900
-
65,900
-
1,56,900
-
1,30,990
-
76,990
-
16,499
-
30,700
-
12,999
-
11,999
-
16,026
-
14,248
-
14,466
-
26,634
-
18,800
-
62,425
-
1,15,909
-
93,635
-
75,804