Apple fixes bug that could have given hackers full access to user accounts

by
Dan Goodin
from Ars Technica - All content on (#546J3)
sign-in-with-apple-800x436.jpg

Enlarge (credit: Apple)

Sign in with Apple-a privacy-enhancing tool that lets users log in to third-party apps without revealing their email addresses-just fixed a bug that made it possible for attackers to gain unauthorized access to those same accounts.

In the month of April, I found a zero-day in Sign in with Apple that affected third-party applications which were using it and didn't implement their own additional security measures," app developer Bhavuk Jain wrote on Sunday. This bug could have resulted in a full account takeover of user accounts on that third party application irrespective of a victim having a valid Apple ID or not."

Jain privately reported the flaw to Apple under the company's bug bounty program and received a hefty $100,000 payout. The developer shared details after Apple updated the sign-in service to patch the vulnerability.

Read 5 remaining paragraphs | Comments

index?i=dKCWbKVu2n0:q9EmwrgYPnY:V_sGLiPB index?i=dKCWbKVu2n0:q9EmwrgYPnY:F7zBnMyn index?d=qj6IDK7rITs index?d=yIl2AUoC8zA
External Content
Source RSS or Atom Feed
Feed Location http://feeds.arstechnica.com/arstechnica/index
Feed Title Ars Technica - All content
Feed Link https://arstechnica.com/
Reply 0 comments