Security News
Apple made a big change when it released the iPhone X: It ditched Touch ID fingerprint security for a new face-based biometric sign-on tool called Face ID. The fingerprint scanner on most post-iPhone X Apple products is gone, and in its place is a new camera array capable of capturing a face map that is, according to Apple, 20 times less likely to be hacked than a Touch ID fingerprint. Who does Face ID affect? Face ID affects anyone who plans to use an iPhone X or newer Apple device.
Apple has announced the availability of a series of open source tools designed to foster collaboration between password manager developers. Published on GitHub in the Password Manager Resources repository, the tools should help developers create strong passwords compatible with popular websites.
The latest Naked Security podcast is out now!
Apple quietly pushed out a small but important update for operating systems across all of its devices, including a patch for a zero-day exploit used in an iPhone jailbreak tool released last week. Jailbreak tools take advantage of vulnerabilities in iOS to allow users root access and full control of their device, in order to load programs and code from outside of the Apple walled garden.
Researcher Bhavuk Jain discovered a vulnerability in the "Sign in with Apple" feature, and received a $100,000 bug bounty from Apple. Basically, forged tokens could gain access to pretty much any...
Apple on Monday released security patches to address a zero-day vulnerability that had been used to jailbreak iPhones running iOS 13.5. One week later, Apple has released security patches to fix the issue, revealing that the root cause of the bug was memory consumption and that improved memory handling would address it.
Security researcher Bhavuk Jain has landed a $100,000 payday after he reported a critical flaw in Apple's sign-in system that could be exploited to access countless accounts on sites from Dropbox and Spotify to Airbnb. The security hole affected all third-party apps that use the service - Apple's equivalent of the Facebook and Google sign-in services - and "Could have resulted in a full account takeover of user accounts on that third party application irrespective of a victim having a valid Apple ID or not."
The security researcher, Bhavuk Jain, reported the flaw to Apple via its bug bounty program, and was awarded $100,000 for the find. Threatpost has reached out to Apple for further comment.
That's nowhere near as crazy as it sounds: you're not asking people to share their actual Apple passwords with you, which would not only be dangerous but also against Apple's terms of service. The benefits are as follows: you get top-quality cryptography and authentication "For free"; your users can use login credentials they already have; and Apple gets to encourage users to have Apple accounts in the first place.
An attacker exploiting the vulnerability could have taken over user accounts on the affected third-party applications, regardless of whether the victim was using a valid Apple ID or not, security researcher Bhavuk Jain explains. In the second step, the user is provided with the option to share the Apple Email ID with the third-party app.