• Home
  • Mobiles
  • Mobiles News
  • Apple Pays Indian Developer Rs. 75 Lakh for Finding a Bug in ‘Sign in With Apple’ Process

Apple Pays Indian Developer Rs. 75 Lakh for Finding a Bug in ‘Sign in With Apple’ Process

The ‘Sign in with Apple’ Zero Day bug could give hackers a complete account takeover.

Apple Pays Indian Developer Rs. 75 Lakh for Finding a Bug in ‘Sign in With Apple’ Process

Photo Credit: Bhavukjain.com

The vulnerability has reportedly been patched

  • Indian developer found vulnerability in Sign in with Apple process
  • He was paid $100,000 (roughly Rs. 75.3 lakh) for finding it
  • The flaw could allow complete account takeover

Apple has reportedly paid an Indian developer $100,000 (roughly Rs. 75.3 lakh) for finding a critical bug in the ‘Sign in with Apple' process on its devices. The 27-year-old developer named Bhavuk Jain had discovered a Zero Day bug in the 'Sign in with Apple' process that could have allowed hackers to gain access to the user's account where they were trying to sign in. The Cupertino-based company acknowledged this bug and stated that it had investigated and patched it, adding that this flaw was not exploited.

What is ‘Sign in with Apple'?

Jain disclosed this flaw in Apple's ‘Sign in with Apple' process that he found in April, on May 30 through a blog post. The ‘Sign in with Apple' feature was introduced in June last year. This feature allows Apple account holders to sing in to third part apps without having to share their email address. This is done by generating a JSON Web Token (JWT) containing information required by the third-party application to confirm the identity of the user. While this process was implemented to preserve user privacy, the Zero Day bug found by Jain exposes the user accounts to attacks.

Sign in with Apple bug

According to the blog post by Jain, it was found that while signing in with Apple, users are required to log-in to their Apple account, which is the first step. In the second step, however, it was found that there was no validation to check if the same user is requesting a JWT to login to a third party app. This, as explained by Jain, could allow a hacker takeover the user's account by faking a JWT.

“I found I could request JWTs for any Email ID from Apple and when the signature of these tokens was verified using Apple's public key, they showed as valid. This means an attacker could forge a JWT by linking any Email ID to it and gaining access to the victim's account,” Jain said. The developer went on to state that the impact of this flaw is “quite critical” and that it could allow a full account takeover. This in turn, would give hackers access to a lot of personal user data that might include log in credentials, passwords, account details, and other such private information.


While not many apps support this sign in process, it is available for Dropbox, Giphy, Spotify, and Airbnb, among others. Additionally, several other apps have this feature but not as a mandate. However, it still puts users at risk and as per the blog post, Apple conducted its own investigation of its logs and stated that no account has been compromised due to this vulnerability. Jain was paid $100,000 (roughly Rs. 75.3 lakh) by Apple under its Apple Security Bounty program for discovering and reporting this vulnerability.

Is Realme TV the best TV under Rs. 15,000 in India? We discussed this on Orbital, our weekly technology podcast, which you can subscribe to via Apple Podcasts or RSS, download the episode, or just hit the play button below.


For details of the latest launches and news from Samsung, Xiaomi, Realme, OnePlus, Oppo and other companies at the Mobile World Congress in Barcelona, visit our MWC 2024 hub.

Poco X2 Price in India Increased by Rs. 500, Now Starts at Rs. 17,499
Facebook Slams 'Severe' Singapore Misinformation Law
Share on Facebook Gadgets360 Twitter Share Tweet Snapchat Share Reddit Comment google-newsGoogle News


Follow Us


© Copyright Red Pixels Ventures Limited 2024. All rights reserved.
Trending Products »
Latest Tech News »