Monday, June 1, 2020

Apple fixes bug that could have given hackers full access to user accounts

Photograph of multiple Apple devices lined up together.

Enlarge (credit: Apple)

Sign in with Apple—a privacy-enhancing tool that lets users log into third-party apps without revealing their email addresses—just fixed a bug that made it possible for attackers to gain unauthorized access to those same accounts.

“In the month of April, I found a zero-day in Sign in with Apple that affected third-party applications which were using it and didn’t implement their own additional security measures,” app developer Bhavuk Jain wrote on Sunday. “This bug could have resulted in a full account takeover of user accounts on that third party application irrespective of a victim having a valid Apple ID or not.”

Jain privately reported the flaw to Apple under the company’s bug bounty program and received a hefty $100,000 payout. The developer shared details after Apple updated the sign-in service to patch the vulnerability.

Read 5 remaining paragraphs | Comments

https://arstechnica.com

No comments:

Post a Comment

Arizona's Maricopa County is set to have the second largest concentration of US data centers by 2028, as the state races to increase electricity production (Pranshu Verma/Washington Post)

Pranshu Verma / Washington Post : Arizona's Maricopa County is set to have the second largest concentration of US data centers by 202...