Now Patched 'Sign in With Apple' Bug Left Users Open to Attack - MacRumorsOpen MenuShow RoundupsShow Forums menuVisit ForumsOpen Sidebar
Skip to Content

Now Patched 'Sign in With Apple' Bug Left Users Open to Attack

Researcher Bhavuk Jain in April discovered a critical Sign in With Apple vulnerability that could have resulted in a takeover of some user accounts. The bug was specific to third party apps that used Sign in With Apple and didn't implement additional security measures.

SigninwithApple e1590865553423
Jain notes that Sign in With Apple works by authenticating a user through a JWT (JSON Web Token) or a code that's generated by Apple's server. Apple then gives users the option to share either the email tied to their Apple ID or a private relay email address,which creates a JWT that's used to log in a user.

Jain then discovered that once JWTs for both Apple ID emails and private relay email addresses were requested and the token's signature was verified using Apple's public key, it "showed as valid." Should the bug have not been discovered, a JWT could be created and used to gain access to one's account.

In an interview with The Hacker News, Jain spoke about the severity of the bug:

The impact of the this vulnerability was quite critical as it could have allowed a full account takeover. Many developers have integrated Sign in with Apple since it is mandatory for applications that support other social logins. To name a few that use Sign in with Apple - Dropbox, Spotify, Airbnb, Giphy (now acquired by Facebook).

According to Jain, Apple conducted an investigation and concluded that no accounts were compromised using this method before the vulnerability was patched. Jain was paid $100,000 by Apple under its Apple Security Bounty Program for reporting the bug.

Popular Stories

iPhone 11 Pro Feature Green

Apple's A12 and A13 Chips Facing New Unpatchable Exploit

Thursday June 18, 2026 9:17 am PDT by
Security research firm Paradigm Shift today published details of a new BootROM vulnerability affecting Apple's A12 and A13 chips, along with a working proof-of-concept exploit named "usbliter8." The BootROM, or SecureROM, is the first code an iPhone runs when it powers on. Because it is baked directly into the chip at manufacture, any vulnerability found there cannot be fixed with a software ...
iCloud General Feature Redux

Apple to Unify Sign in With Apple and Hide My Email on One Domain

Monday June 15, 2026 3:56 pm PDT by
Apple is planning to unify the email domains used by Sign in with Apple and iCloud+ Hide My Email under a single private.icloud.com domain. Addresses generated for both features will be issued on the new domain, Apple says. Sign in with Apple addresses currently use the privaterelay.appleid.com domain, while iCloud+ uses icloud.com. Later this summer, both will use the same...
iCloud iPhone 17 Pro

iPhone Users Who Pay for iCloud Storage Get Two New Perks on iOS 27

Thursday July 2, 2026 6:10 am PDT by
If you pay for certain iCloud+ storage plans beyond the 5GB that Apple offers for free, you will receive two more perks on iOS 27 at no additional cost. A summary of the two new iCloud+ perks on iOS 27:Increased daily usage limits for some new Apple Intelligence features, including image generation in the revamped Image Playground app. HomeKit Secure Video cameras receive generated video...

Top Rated Comments

SBlue1 Avatar
80 months ago
100,000? Well deserved. :)
Score: 13 Votes (Like | Disagree)
B4U Avatar
80 months ago
Are we getting numb with the constant SW issues that Apple is having lately?
Score: 11 Votes (Like | Disagree)
Peace Avatar
80 months ago
I’m getting burned out on timmys security problems .

windows is looking better
Score: 10 Votes (Like | Disagree)
I7guy Avatar
80 months ago

I’m getting burned out on timmys security problems .

windows is looking better
Windows is better? Sure windows is as tight as a drum as far as that goes.

Just keep patching them Timmy.
Score: 7 Votes (Like | Disagree)
80 months ago

If it was unexploited and has been patched, there's not much of a story here… except to other businesses that might consider Sign In With Apple.
Bugs are a symptom, not the flaw. The constant stream of problems coming out from Apple shows their software development and QA processes are severely flawed.
Score: 5 Votes (Like | Disagree)
cmaier Avatar
80 months ago

I don't care.

I'm done updating.

I'm sick and tired of my phone being artificially slowed.

I'm back to using Linux for things that need to be secure, like banking, etc.
You know this wasn’t a bug in the client software or operating system, right?
Score: 5 Votes (Like | Disagree)