Earlier this year, security researcher Bhavuk Jain disclosed a 0-day vulnerability in Sign In with Apple that could easily allow an attacker to get full control of a victim's account by only knowing their email address. Apple patched the vulnerability and stated they could find no evidence of exploitation.
Sign In with Apple is an OAuth 2.0 and OpenID Connect compatible single sign-on provider Apple introduced last year with iOS 13. According to Apple, Sign In with Apple was designed with privacy in mind to enable authentication with limited exchange of personal information, as opposed to login services provided by other platforms.
Jain discovered a flaw in this process that could have provided access to a victim's account on a third-party service using Sign In with Apple by only knowing their email address, even if they had no valid Apple ID. In short, once an attacker had authenticated their identity using a normal OAuth flow, they could have forged a POST request including any other email address to get back a token which could be used to access that victim's account on a third-party platform.
I found I could request JWTs for any Email ID from Apple and when the signature of these tokens was verified using Apple’s public key, they showed as valid. This means an attacker could forge a JWT by linking any Email ID to it and gaining access to the victim’s account.
According to Jain, the bug could be exploited in the "Exchange of JWT" phase of step 2 in the picture above by sending a forged POST request using any email address, for which Apple's service would responded by providing a valid access token for that email address on the third-party service:
POST /XXXX/XXXX HTTP/1.1
Host: appleid.apple.com
{"email":"contact@bhavukjain.com"}
While Apple's bug was easy to exploit, an attack could only succeed if no additional security measures were adopted by the third-party service, says Jain. Apple, he adds, did an investigation of their logs and determined there was no misuse or account compromise due to this vulnerability.
The actual bug enabling this kind of behaviour has not been disclosed by Apple, and which according to Jain was fixed promptly. Commenters on Hacker News hinted at the possibility the bug was caused by not checking whether the email address provided with the second POST was the same as the one used for getting authenticated in the first place. This in turns could be related to Sign In with Apple allowing users to opt out from transmitting their actual email address to the third-party, in which case it was replaced by an Apple relay mail address.