In 2019, Apple announced a Sign in with Apple option for users who preferred not to share personal email addresses with the third-party apps and services they use on their devices. The feature, which was announced at WWDC as a way to protect user privacy, has since been compromised.
According to a report from iMore, security researcher Bhavuk Jain recently discovered a critical flaw within the feature on iOS devices. If exploited, the flaw would allow remote attacks from anyone looking to take over third-party app accounts, including Spotify, Dropbox, and Giphy, from unsuspecting victims. After finding the vulnerability, Jain reported it to Apple through the company’s bug bounty program, and he has been awarded $ 100,000 for his discovery.
Jain also broke down his findings in a blog post on his website.
“I found a zero-day in Sign in with Apple that affected third-party applications which were using it and didn’t implement their own additional security measures,” he wrote.
Click here to continue and read more…