Apple awarded an Indian developer Bhavuk Jain with $1,00,000 or Rs 75 lakh rupees for finding the apple security loophole. Apple is known for its security and smoother user experience but there are some loopholes that get missed. when you find these loopholes in the system, Companies will reward you just like Apple did.
Loophole explained by Bhavuk jain
Bhavuk Jain mentioned in their Blog website, “The impact of this vulnerability was quite critical as it could have allowed full account takeover”.
For authorizing someone, the feature uses a JWT or JSON Web Token — a code generated by Apple’s server. During this authentication, Apple gives users an option to share or either hide their Apple ID with third-party applications. When the user chooses the former, Apple makes a custom email for the user. Once this process completes, Apple makes a JWT that consists of the email address which is used by the third-party app to sign in. Jain explained in their blog “When the signature of these tokens was verified using Apple’s public key, they showed as valid. This means an attacker could forge a JWT by linking any email ID to it and gaining access to the victim’s account.”
Bhavuk Jain also said that Developers have integrated Sign in with Apple Since it is mandatory for applications that support other social logins. He also mentioned some big apps like Dropbox, Spotify, Airbnb, and Giphy which use the Sign with Apple and have chances to face the same vulnerable issue. Now you don’t have to take the worry, Apple investigated all the vulnerability issue given by Bhavuk Jain and has patched the vulnerability now. Recently in April,
Apple awarded hacker $ 75000
Apple awarded $ 75000 to a hacker named Ryan Pickren for finding vulnerabilities in Apple’s Safari browser which allows hackers to easily access the victim iPhone camera. What’s your opinion on Apple security? Let me know in Comment Section.