So, the ‘Sign in with Apple’ feature had a significant vulnerability that’s been thankfully patched. An independent bug bounty hunter, Bhavuk Jain has posted up a detailed take on how he found the vulnerability and reported it to Apple. It’s a pretty fascinating read.
My favourite Apple Sign-In feature has been how you can choose to mask or not share your email ID with a third-party during the authentication process (bye unsolicited emails!). When the email address is hidden, Apple generates a JSON Web Token (or JWT (or JOT if you’re that guy) which is a standard to transmit claims securely between two parties) that is then used by the third-party app to authenticate the user. Bhavuk found that the payload returned by Apple included a URL accessible on Apple’s servers to which he could send just an email address (any email address) and could get authenticated without a password. Apple essentially sent back a valid authentication token that could be used with the third-party app.
This was no doubt a glaring flaw no matter how you slice it. OpenID Connect and OAuth consent flow standards exist for a reason - no matter how excellent your engineers are or how sophisticated your own spin on existing standards are, the risks of rolling your own authentication is pretty damn high.