Security News

Security researcher Bhavuk Jain has landed a $100,000 payday after he reported a critical flaw in Apple's sign-in system that could be exploited to access countless accounts on sites from Dropbox and Spotify to Airbnb. The security hole affected all third-party apps that use the service - Apple's equivalent of the Facebook and Google sign-in services - and "Could have resulted in a full account takeover of user accounts on that third party application irrespective of a victim having a valid Apple ID or not."

The security researcher, Bhavuk Jain, reported the flaw to Apple via its bug bounty program, and was awarded $100,000 for the find. Threatpost has reached out to Apple for further comment.

That's nowhere near as crazy as it sounds: you're not asking people to share their actual Apple passwords with you, which would not only be dangerous but also against Apple's terms of service. The benefits are as follows: you get top-quality cryptography and authentication "For free"; your users can use login credentials they already have; and Apple gets to encourage users to have Apple accounts in the first place.

An attacker exploiting the vulnerability could have taken over user accounts on the affected third-party applications, regardless of whether the victim was using a valid Apple ID or not, security researcher Bhavuk Jain explains. In the second step, the user is provided with the option to share the Apple Email ID with the third-party app.

In an interview with The Hacker News, Bhavuk Jain revealed that the vulnerability he discovered resided in the way Apple was validating a user on the client-side before initiating a request from Apple's authentication servers. Bhavuk found that though Apple asks users to log in to their Apple account before initiating the request, it was not validating if the same person is requesting JSON Web Token in the next step from its authentication server.

In an interview with The Hacker News, Bhavuk Jain revealed that the vulnerability he discovered resided in the way Apple was validating a user on the client-side before initiating a request from Apple's authentication servers. Bhavuk found that though Apple asks users to log in to their Apple account before initiating the request, it was not validating if the same person is requesting JSON Web Token in the next step from its authentication server.

Apple has alerted users about a bunch of security fixes for its software on supported versions of macOS that you ought to install as soon as you can. The SSLab trio also found CVE-2020-9801 in Safari that can be exploited by malware already running on a Mac to force the browser to open another application.

Apple has alerted users about a bunch of security fixes for its software on supported versions of macOS that you ought to install as soon as you can. The SSLab trio also found CVE-2020-9801 in Safari that can be exploited by malware already running on a Mac to force the browser to open another application.

The latest Naked Security podcast is out now!

Roberto Escobar's company has reportedly filed a $2.6 billion lawsuit against Apple for purportedly having lame-o security - security so bad, his address purportedly got leaked through FaceTime and has led to subsequent assassination attempts. According to TNW and TMZ, former accountant and co-founder of the Medellín drug cartel Roberto Escobar, brother to the now deceased drug kingpin Pablo Escobar, is claiming that his iPhone X nearly killed him.