Home Technology Bhavuk Jain earns Rs75 lakh just for finding a bug in Apple

Bhavuk Jain earns Rs75 lakh just for finding a bug in Apple

A 27 year old Indian security Researcher Bhavuk Jain grabs a whopping Rs75 lakh from Apple for finding a Zero Day vulnerability in the Sign in using Apple account authentication.

The vulnerability could have allowed hackers to break into an Apple User’s account who use third party apps to log in using Dropbox, Spotify, Airbnb and Giphy.

Jain is a engineer and holds bachelor’s degree in electronics and communication.

“This bug could have resulted in a full account takeover of user accounts on that third party application irrespective of a victim having a valid Apple ID or not,” Jain said in a statement on Saturday.

“For this vulnerability, I was paid $100,000 by Apple under their Apple Security Bounty programme,” he announced.

Jain is a mobile app developer. He is self employed and works full time as bug bounty hunter.

After Jain finding the bug and submitting it to Apple’s bug bounty programme, Apple has pached the bug since then.

How Bhavuk Jain Find the Bug

The Sign with Apple works using OAuth 2.0

“There are two possible ways to authenticate a user by either using a JWT (JSON Web Token) or a code generated by the Apple server. The code is then used to generate a JWT,” he explained.

In the second step, while authorizing, Apple gives an option to a user to either share the Apple Email ID with the third party app or not.

If the user decides to hide the Email ID, Apple generates its own user-specific Apple relay Email ID.

“Depending upon the user selection, after successful authorization, Apple creates a JWT which contains this email ID which is then used by the 3rd party app to login a user,” said Jain.

He discovered that he could get JWTS for any email ID from Apple and when the signature of these tokens is verified using Apple’s public key, it showed valid.

“This means an attacker could forge a JWT by linking any Email ID to it and gaining access to the victim’s account,” Jain noted.

Latest

ICIC Bank has decided to reward its 80,000 staff with salary hike up to 8 percent

ICICI Bank to reward 80,000 employees with up to 8% pay hike for working during COVID-19 The country's second...

Now Users can Delete their account and all Data stored in Arogya Setu App

Arogya Setu App Govt has launched new features in Arogya Setu App. Now Users can Delete their account and...

Chinese Xiaomi Redmi Note 9 Pro Sale Today at 12PM Noon on Amazon

Today Redmi Note 9 Pro will go on another flash sale in India at 12PM Noon. The Phone has seen multiple flash...

US May Ban Chinese Social Media Apps After India’s move of banning 59 apps

US May Ban Chinese Social Media Apps After India's move of banning 59 apps Earlier India banned 59 Chinese...

Airtel says its Platinum customers will get Priority 4G Network

Airtel Platinum Customers Airtel has launcehd "Priority 4G Network" for its Platinum Mobile Users. Airtel says its customers...