I’m sure we’ve all see the feature in iPhones now where “Sign in with Apple” offers to take the stress and aggravation out of having to remember keywords, passwords, passphrases, passcodes and all other manners of security credentials with a simple scan of ones face. But can we trust Apple with this level of automation over our cyber security?
Researcher Bhavuk Jain has received a Bug Bounty (funds paid for finding faults with software/services) of $100,000 after finding a considerable security flaw in Apples’ Sign In feature. The flaw was found in April and has already been fixed, but this portrays the importance of ensuring your day to day tech devices are kept up to date as you may be missing updates that patch out these holes in your cyber defences.
The security flaw itself is detailed in the link above, but to summarize; an attacker could theoretically forge a token linked to an email ID if an app had no security measures of its own, verify it as valid using Apple’s public key thus allowing a full account take over, even if users had elected to not show their email to other apps and services.