Home Technology News Indian Won Rs 75 Lakh From Apple By Thinking Different in Finding...

Indian Won Rs 75 Lakh From Apple By Thinking Different in Finding a Bug

Highlights:

  • Indian Won Rs 75 Lakh From Apple( $100,000) under its Bug Bounty program
  • 27-year-old Indian security researcher Bhavuk Jain discovered the bug with the use of the “sign in with Apple” service
  • The attackers could actually gain access to a user’s app account

Apple has announced its bug bounty program for all security researchers in December 2019.

It has offered rewards in different categories for discoveries major bugs in its operating systems. 

The program announces $1 million or more to hackers. 

In 2019, “Sign in with Apple” is launched with the aim to make more security-focused option for website and app log-in systems.

That is powered by Facebook and Google accounts.

In order to make more secure, company works by minimizing the amount of a user’s data that is used for authentication and account creation.

The API also helped reduce the amount of tracking Facebook and Google performed on users.

Indian Won Rs 75 Lakh From Apple by discovering zero day vulnerability.

How Indian Won Rs 75 Lakh From Apple?

Bhavuk Jain, a 27-year-old Indian Developer from Telangana has claimed $100,000 (about Rs. 75.5 lakh) from Apple.

He has discovered a new Zero Day vulnerability in the ‘Sign in with Apple’ authentication page.

The vulnerability allows an hacker to gain access, and fully take over, a user’s account on a third-party application.

According to Bhavuk Jain, the bug would have enabled a change in control of the application’s user account, regardless of whether the user had a valid Apple ID or not.

A Indian researcher Jain said “This bug could have resulted in a full account takeover of user accounts on that third party application irrespective of a victim having a valid Apple ID or not,” 

He confirmed “For this vulnerability, I was paid $100,000 by Apple under their Apple Security Bounty programme,” 

According to him, the ‘Sign in with Apple’ works similarly to ‘OAuth 2.0’.

“There are two possible ways to authenticate a user by either using a JWT (JSON Web Token) or a code generated by the Apple server. The code is then used to generate a JWT,”

During authorization, Apple provides an option to a user to either share the Apple Email ID with the third party app or not.

If the user decides to hide the Email ID, Apple generates its own user-specific Apple relay Email ID.

Indian winner Jain said “Depending upon the user selection, after successful authorization, Apple creates a JWT which contains this email ID which is then used by the 3rd party app to login a user,” 

He actually found that he could request JWTs for any email ID from Apple and when the signature of these tokens was verified using Apple’s public key, they showed as valid.

Then noted that “This means an attacker could forge a JWT by linking any Email ID to it and gaining access to the victim’s account,” 

The Impact of bug could be very critical as it allow hacker full account access.

The company made it mandatory for apps that did not support third-party logins, many developers have made use of the “sign in with Apple” service for their apps. 

However, Apple patched the bug and before patching company perform a check of their logs and determined there was no misuse or account compromise due to the zero day vulnerability.

All thanks and congrats  to Indian Won Rs 75 Lakh From Apple.

To stay updated,

Like us on Facebook,

Follow us on Twitter and Instagram,

Join our Telegram Channel

Leave a reply

Please enter your comment!
Please enter your name here

STAY CONNECTED

16,985FansLike
2,652FollowersFollow
2,458FollowersFollow
1,453SubscribersSubscribe

Most Popular

Realme C11 India Launch Teased; Launch Seems Imminent

Realme’s entry-level C-series has achieved an amazing milestone in its two years of existence. The company kicked off the C-series with Realme C1...

6 Month-EMI Holiday Scheme on Tata Nexon, Altroz and Tiago

Share Tweet Share Share Email In order to improve sales, Tata Motors has announced an exciting new financing scheme on its popular brands...

England vs West Indies Live Score, 1st Test: Rain delays toss in Southampton | Cricket News

UPDATE: Rain delays TOSS at the Ageas Bowl in Southampton. STAT ATTACK: West Indies’ maiden tour of England, for a Test series was...

Recent Comments