The Sign in with Apple service was introduced at WWDC in 2019, and was recently found to have a serious vulnerability.
Apple’s “Sign in with Apple” was found to have a vulnerability that would allow hackers to gain access to any account that was linked with the service. The vulnerability was discovered by Bhavuk Jain, an Indian security researcher who promptly reported to Apple. Apple investigated the matter, Apple did conclude the vulnerability to be real and awarded the researcher a sum of $10,000 as part of the bug-bounty program.
The vulnerability in question was around how Apple validated users “on the client-side before initiating a request from Apple’s authentication services.” A JSON Web token would be generated by the server which would be used by the third-party service to authenticate the user. The vulnerability would allow this token to be spoofed, leading to any malicious actor to gain access to a user’s account.
