Indian dev bags $100,000 for reporting a critical flaw in ‘Sign in with Apple’: Report

Bhavuk Jain, a New Delhi-based developer, says he has received $100,000 under Apple's bug bounty programme for finding a critical security loophole in the company's ‘Sign in with Apple' system.

Jain in a blog post said that he had discovered the zero-day bug in the 'Sign in with Apple' systems that were used by the third-party applications and didn't have additional security measures in place.

The critical flaw could have allowed hackers to gain control of user accounts on that specific third-party app. This could have happened regardless the user has a valid Apple ID or not, he added.

Apple is said to have already fixed the flaw. According to Jain, Apple has also determined that the flaw was not exploited by hackers.

“…A lot of developers have integrated Sign in with Apple since it is mandatory for applications that support other social logins. To name a few that use Sign in with Apple - Dropbox, Spotify, Airbnb, Giphy (Now acquired by Facebook). These applications were not tested but could have been vulnerable to a full account takeover if there weren't any other security measures in place while verifying a user,” wrote Jain in the blog post.

Apple had launched ‘Sign in with Apple' login system in June last year. Touted as a more secure way of signing up with third-party platforms, Apple allows users to give select details such as name and email address. The information is protected by the company's Face ID 3-D login system on iPhones and iPads.

Users have more flexibility in terms of what information they want to share. One of the highlights is randomised email addresses so that third-party apps or anyone else don't find the real email IDs of users.