Researcher Reports Zero-Day in Sign In With Apple, Gets Paid $100,000 Bounty

Bhavuk Jain:

In the month of April, I found a zero-day in Sign in with Apple that affected third-party applications which were using it and didn’t implement their own additional security measures. This bug could have resulted in a full account takeover of user accounts on that third party application irrespective of a victim having a valid Apple ID or not.

For this vulnerability, I was paid $100,000 by Apple under their Apple Security Bounty program. […]

Apple also did an investigation of their logs and determined there was no misuse or account compromise due to this vulnerability.

Nice write-up of the technical details too.

Monday, 1 June 2020