Sign in with Apple, a privacy-enhancing tool that allows users to sign in to third-party apps without revealing their email addresses, only fixed a bug that allowed attackers to gain unauthorized access to those same accounts.

"In the month of April, I found a zero day in Sign in with Apple that affected third-party applications that used it and did not implement its own additional security measures," application developer Bhavuk Jain wrote Sunday. "This error could have resulted in a complete takeover of the user account in that third-party application, regardless of whether or not a victim has a valid Apple ID."

Jain privately reported the failure to Apple under the company's bug bounty program and received a sizable payment of $ 100,000. The developer shared details after Apple updated the login service to patch the vulnerability.

Log In With Apple debuted in October as an easier, safer, and more private way to log into apps and websites. Given the mandate that many third-party iOS and iPadOS apps offer the option to log in with Apple, a host of high-profile services entrusted with a large amount of use of sensitive user data have embraced it.

Rather than using a social media account or email address, filling out web forms, and choosing an account-specific password, iPhone and iPad users can touch a button and sign in with Face ID, Touch ID, or a code device access. The error opened users up to the possibility that their third-party accounts were completely hijacked.

The login service, which works similar to the OAuth 2.0 standard, registers users by using a JWT [short for JSON Web Token] or code generated by an Apple server. In the latter case, the code is used to generate a JWT. Apple offers users the option of sharing the Apple email ID with a third party or keeping the ID hidden. When users hide the ID, Apple creates a JWT that contains a user-specific relay ID.

"I found out that I could request JWT for any Apple email ID and when these tokens were verified for signature using Apple's public key, they were shown to be valid," Jain wrote. "This means that an attacker could spoof a JWT by linking any email ID and gaining access to the victim's account."

There is no indication that the bug has been actively exploited.