Apple paid a bug bounty of $100,000 to a Delhi-based security researcher who pointed out a critical vulnerability in the “Sign in with Apple” account authentication. Apple had announced ‘Sign in with Apple’ in June 2019 to provide a more privacy-oriented option to login into apps and websites than Facebook and Google account.
On May 24, Bhavuk Jain, the vulnerability researcher, took to Twitter to announce that he has received confirmation mail of $100,000 bug bounty. He also posted a snippet of the mail which said Jain’s report qualifies for Apple Security Bounty and the firm will reward him $100,000 for reporting the issue.
A week later, Jain shared the details of the bug in a detailed blog post saying the impact of the vulnerability was quite critical as it could have allowed full account takeover. He wrote that a lot of developers have integrated Sign in with Apple since it is mandatory for applications including Dropbox, Spotify, and Airbnb that support other social logins.
“This bug could have resulted in a full account takeover of user accounts on that third party application irrespective of a victim having a valid Apple ID or not,” he added.
‘No account compromised’
Jain said that though the applications were not tested, those could have been vulnerable to a full account takeover if there weren’t any other security measures in place while verifying a user. He added that Apple also did an investigation of their logs and determined there was no misuse or any account compromised due to this vulnerability.
HackerOne CEO Marten Mickos congratulated Jain for the “fantastic find” saying everyone benefits if a vulnerability is found and fixed.
This is amazing. Congratulations for the fantastic find! Everybody is better off with the vulnerability found and fixed. And what a reward – $100,000! Absolutely outstanding.
— Mårten Mickos (@martenmickos) May 24, 2020