Details of a now-patched vulnerability in the “Sign in with Apple” account authentication have been revealed, a zero-day that could have allowed an attacker to take control of a user’s account.
Details of a now-patched vulnerability in the “Sign in with Apple” account authentication have been revealed, a zero-day that could have allowed an attacker to take control of a user’s account.
Launched in 2019, “Sign in with Apple” is intended to be a more privacy-focused alternative to website and app log-in systems powered by Facebook and Google accounts. By minimizing the amount of a user’s data that is used for authentication and account creation, the API also helped reduce the amount of tracking Facebook and Google performed on users, in turn making it more private.
Disclosed on Saturday by security-focused developer Bhavuk Jain, a zero-day vulnerability in Sign in with Apple had the potential to let an attacker gain access to, and fully take over, a user’s account on a third-party application. According to Jain, the bug would have enabled a change in control of the application’s user account, regardless of whether the user had a valid Apple ID or not.
