Indian “Bug Bounty Hunter” Gets $100,000 from Apple for Spotting Critical Security Bug
Jun. 6, 2020Apple introduced “Sign in with Apple” withiOS 13along with other major features like “Deep Fusion“, apowerful photo editor, and the popular “Dark Mode“. Now, “Sign in with Apple” was more of a privacy-focused feature, unlike the mentioned ones. However, Bhavuk Jain, an Indian developer with a BSc. in Electronics and Communication degree found that there was a Zero-Day vulnerability in the “Sign in with Apple” account authentication system.He reported this to Apple and the company rewarded him heavily for the deed.
Now, this Zero-Day vulnerability allowed hackers to take control of a user’s account in third-party apps like Spotify, Giphy (now under Facebook), Dropbox, and Airbnb.
Apple brought “Sign in with Apple” to hide a user’s personal email ID when signing in to an app or service.It generates a unique ID for a user, that the third-party apps can use to authenticate, which redirects emails to the user’s personal ID.
However, Jain noticed that a bug in the verification system of the feature is showing any email ID as “valid” when a user is signing in with the “Sign in with Apple”.
“This bug could have resulted in a full account takeover of user accounts on third-party apps irrespective of a victim having a valid Apple ID or not”, says Jain.
Now, after spotting this vulnerability, Jain reported this to Apple via the company’s Security Bounty Programme. AndApple, in turn, awarded the 27-year-old developer $100,000 (~Rs 75,57,350).
“For this vulnerability, I was paid $100,000 by Apple under their Apple Security Bounty programme”, Jain announced.
Bringing the latest in technology, gaming, and entertainment is our superhero team of staff writers. They have a keen eye for latest stories, happenings, and even memes for tech enthusiasts.
