Seamus  Quitzon

Seamus Quitzon

1593152820

Apple Pays $100K Bounty for Critical 'Sign in With Apple' Flaw

Apple has fixed a critical flaw in its Sign in with Apple feature, which could have been abused by attackers to takeover victims’ third-party applications.

A researcher recently found a critical Apple vulnerability that, if exploited, could enable remote attackers to abuse the “Sign in with Apple” feature to take over victims’ third-party application accounts. The security researcher, Bhavuk Jain, reported the flaw to Apple via its bug bounty program, and was awarded $100,000 for the find.

The flaw stemmed from the “Sign in with Apple” feature, which was introduced by Apple at its Worldwide Developers Conference last year. Sign in with Apple aimed to make it easy and secure for Apple users to sign into third-party apps and websites. It did this by implementing an Apple-backed authentication system to replace social logins on third-party services.

“In the month of April, I found a zero-day in Sign in with Apple that affected third-party applications which were using it and didn’t implement their own additional security measures,” said Jain, in his disclosure of the bug on Sunday. “This bug could have resulted in a full account takeover of user accounts on that third party application irrespective of a victim having a valid Apple ID or not.”

Apple has since fixed the flaw. Threatpost has reached out to Apple for further comment.

One of the highlights of Sign in with Apple is that users could sign up with third-party services without needing to disclose their Apple ID email address to these services. This worked because Sign in with Apple would first validate users on the client side, and then initiate a JSON Web Token (JWT) request from Apple’s authentication services. This JWT would then be used by the third-party app to confirm the user’s identity.

The issue was that after Apple validated the user on the client side via their Apple ID email address, it did not verify that the JWT request was from that actual user account. An attacker could abuse this flaw by providing an Apple ID email that belongs to the victim and tricking Apple servers into generating a valid JWT payload. Once an attacker does this, he can then sign into a third-party app using the victim’s identity.

apple critical flaw

“I found I could request JWTs for any Email ID from Apple and when the signature of these tokens was verified using Apple’s public key, they showed as valid,” he said. “This means an attacker could forge a JWT by linking any Email ID to it and gaining access to the victim’s account.”

According to The Hacker News, the flaw could be exploited even if users had decided to hide their email IDs from third-party services. It could also be exploited to sign up new accounts with victims’ Apple IDs.

There are two hoops that attackers would need to jump through to make this exploit work. First, they would need an email ID for an Apple user – though that could be any Apple user’s email ID. Second, they would need to log into a third-party app via Sign in with Apple that didn’t require any further security measures.

Jain said the impact of this vulnerability is “quite critical” as it could allow full account takeover. Many developers have integrated Sign in with Apple into their services, including Dropbox, Spotify, Airbnb, and Giphy.

“These applications were not tested but could have been vulnerable to a full account takeover if there weren’t any other security measures in place while verifying a user,” Jain said.

Jain said that Apple conducted an investigation of their logs and determined there was no misuse or account compromise due to this vulnerability. The researcher found the flaw in April and reported it via Apple’s bug bounty program which earned him $100,000. Threatpost has reached out to Jain for further details on the timeline of discovering and reporting the flaw.

#mobile security #vulnerabilities #web security #app takeover #apple #apple bug bounty #apple flaw #bug bounty #critical flaw #security vulnerability #sign in with apple #third party app

What is GEEK

Buddha Community

Apple Pays $100K Bounty for Critical 'Sign in With Apple' Flaw
Seamus  Quitzon

Seamus Quitzon

1593152820

Apple Pays $100K Bounty for Critical 'Sign in With Apple' Flaw

Apple has fixed a critical flaw in its Sign in with Apple feature, which could have been abused by attackers to takeover victims’ third-party applications.

A researcher recently found a critical Apple vulnerability that, if exploited, could enable remote attackers to abuse the “Sign in with Apple” feature to take over victims’ third-party application accounts. The security researcher, Bhavuk Jain, reported the flaw to Apple via its bug bounty program, and was awarded $100,000 for the find.

The flaw stemmed from the “Sign in with Apple” feature, which was introduced by Apple at its Worldwide Developers Conference last year. Sign in with Apple aimed to make it easy and secure for Apple users to sign into third-party apps and websites. It did this by implementing an Apple-backed authentication system to replace social logins on third-party services.

“In the month of April, I found a zero-day in Sign in with Apple that affected third-party applications which were using it and didn’t implement their own additional security measures,” said Jain, in his disclosure of the bug on Sunday. “This bug could have resulted in a full account takeover of user accounts on that third party application irrespective of a victim having a valid Apple ID or not.”

Apple has since fixed the flaw. Threatpost has reached out to Apple for further comment.

One of the highlights of Sign in with Apple is that users could sign up with third-party services without needing to disclose their Apple ID email address to these services. This worked because Sign in with Apple would first validate users on the client side, and then initiate a JSON Web Token (JWT) request from Apple’s authentication services. This JWT would then be used by the third-party app to confirm the user’s identity.

The issue was that after Apple validated the user on the client side via their Apple ID email address, it did not verify that the JWT request was from that actual user account. An attacker could abuse this flaw by providing an Apple ID email that belongs to the victim and tricking Apple servers into generating a valid JWT payload. Once an attacker does this, he can then sign into a third-party app using the victim’s identity.

apple critical flaw

“I found I could request JWTs for any Email ID from Apple and when the signature of these tokens was verified using Apple’s public key, they showed as valid,” he said. “This means an attacker could forge a JWT by linking any Email ID to it and gaining access to the victim’s account.”

According to The Hacker News, the flaw could be exploited even if users had decided to hide their email IDs from third-party services. It could also be exploited to sign up new accounts with victims’ Apple IDs.

There are two hoops that attackers would need to jump through to make this exploit work. First, they would need an email ID for an Apple user – though that could be any Apple user’s email ID. Second, they would need to log into a third-party app via Sign in with Apple that didn’t require any further security measures.

Jain said the impact of this vulnerability is “quite critical” as it could allow full account takeover. Many developers have integrated Sign in with Apple into their services, including Dropbox, Spotify, Airbnb, and Giphy.

“These applications were not tested but could have been vulnerable to a full account takeover if there weren’t any other security measures in place while verifying a user,” Jain said.

Jain said that Apple conducted an investigation of their logs and determined there was no misuse or account compromise due to this vulnerability. The researcher found the flaw in April and reported it via Apple’s bug bounty program which earned him $100,000. Threatpost has reached out to Jain for further details on the timeline of discovering and reporting the flaw.

#mobile security #vulnerabilities #web security #app takeover #apple #apple bug bounty #apple flaw #bug bounty #critical flaw #security vulnerability #sign in with apple #third party app

Micheal  Block

Micheal Block

1602936000

Wormable Apple iCloud Bug Allows Automatic Photo Theft

A group of ethical hackers cracked open Apple’s infrastructure and systems and, over the course of three months, discovered 55 vulnerabilities, a number of which would have given attackers complete control over customer and employee applications.

Of note, a critical, wormable iCloud account takeover bug would allow attackers to automatically steal all of a victim’s documents, photos, videos and more.

The discovery by hackers Sam Curry, Brett Buerhaus, Ben Sadeghipour, Samuel Erb and Tanner Barnes demonstrated key weaknesses in the company’s “massive” infrastructure while it also earned the team nearly $300,000 to date in rewards for their efforts, Curry wrote in an extensive blog post detailing the team’s findings.

Among the flaws found in core portions of Apple’s infrastructure includes ones that would have allowed an attacker to: “fully compromise both customer and employee applications; launch a worm capable of automatically taking over a victim’s iCloud account; retrieve source code for internal Apple projects; fully compromise an industrial control warehouse software used by Apple; and take over the sessions of Apple employees with the capability of accessing management tools and sensitive resources,” he wrote.

Of the 55 vulnerabilities discovered, 11 were rated with critical severity, 29 with high severity, 13 with medium severity and two with low severity. Researchers rated the bugs based on the CvSS vulnerability-severity rating, and “our understanding of the business-related impact,” Curry said.

The wormable iCloud bug is a cross-site scripting (XSS) issue, according to the writeup. iCloud is an automatic storage mechanism for photos, videos, documents, and app related data for Apple products. Additionally, this platform provides services like Mail and Find my iPhone.

“The mail service is a full email platform where users can send and receive emails similar to Gmail and Yahoo,” explained Curry. “Additionally, there is a mail app on both iOS and Mac which is installed by default on the products. The mail service is hosted on www.icloud.com alongside all of the other services like file and document storage.”

He added, “This meant, from an attackers perspective, that any cross-site scripting vulnerability would allow an attacker to retrieve whatever information they wanted to from the iCloud service.”

#bug bounty #cloud security #hacks #iot #mobile security #privacy #vulnerabilities #web security #$300 #000 #apple #apple bug bounty program #applications #authentication bypass #bug bounty #critical bugs #critical flaws #developers #ethical hackers #hackers #hardware #icloud #sam curry #software #source code #takeover #vulnerabilities #wormable #xss

Christa  Stehr

Christa Stehr

1595661791

Apple Security Research Device Program Draws Mixed Reactions

Apple’s Security Research Device program is now open to select researchers – but some are irked by the program’s vulnerability disclosure restrictions.

Apple’s long anticipated Security Research Device program has launched, giving select security researchers access to testable iPhones that will make it easier for them to find iOS vulnerabilities.

The program offers security researchers specially configured iPhones with shell access, and special features such as advanced debug capabilities. The devices behave “as closely to a standard iPhone as possible in order to be a representative research target,” said Apple.

“As part of Apple’s commitment to security, this program is designed to help improve security for all iOS users, bring more researchers to iPhone, and improve efficiency for those who already work on iOS security,” according to Apple in a Wednesday announcement. “It features an iPhone dedicated exclusively to security research, with unique code execution and containment policies.”

To be eligible for the program, researchers must be a membership Account Holder in the Apple Developer Program and have a “proven track record of success” in finding security issues on Apple platforms.

The devices are provided on a 12-month renewable basis, are not meant for personal use, and must remain on the premises of program participants at all times, according to Apple.

“If you use the SRD to find, test, validate, verify, or confirm a vulnerability, you must promptly report it to Apple and, if the bug is in third-party code, to the appropriate third party,” according to Apple.

Mixed Reactions

The Security Research Device program has been praised by some in the security space as a “good step forward” for the iPhone maker, which up until last summer had a historically restricted bug bounty program.

Patrick Wardle, security researcher with Jamf, said that the new program will make the analysis of third-party apps much easier – which is “something that may directly impact end users in a positive way.”

“I’m happy that Apple is moving forward with this program,” Wardle told Threatpost. “Though the devices may not be fully open (i.e. probably won’t have the ability to boot custom kernels, etc) and there are some legal restraints (i.e. any bug found must be reported to Apple), I still think it’s a good step forward.”

On the flip side, however, Google Project Zero’s security research team, Ben Hawkes, took to Twitter to air complaints about the program’s vulnerability disclosure restrictions.

“It looks like we won’t be able to use the Apple ‘Security Research Device’ due to the vulnerability disclosure restrictions, which seem specifically designed to exclude Project Zero and other researchers who use a 90 day policy,” he said.

Apple’s program policy says that if researchers report a vulnerability affecting Apple products, Apple will provide them with a publication date (usually the date on which Apple releases the update to resolve the issue).

“Apple will work in good faith to resolve each vulnerability as soon as practical,” according to the policy. “Until the publication date, you cannot discuss the vulnerability with others.”

Threatpost has reached out to Apple for further clarification on this policy.

Hawkes said Google Project Zero will continue to research Apple platforms and provide Apple with their findings. “But I’ll confess, I’m pretty disappointed,” he said.

#bug bounty #mobile security #apple #apple bug bounty #apple developer program #bug bounty #ios #iphone #mac #macos #security research device program #vulnerability

Hollie  Ratke

Hollie Ratke

1597554000

Critical Intel Flaw Afflicts Several Motherboards, Server Systems, Compute Modules

Intel is warning of a rare critical-severity vulnerability affecting several of its motherboards, server systems and compute modules. The flaw could allow an unauthenticated, remote attacker to achieve escalated privileges.

The recently patched flaw (CVE-2020-8708) ranks 9.6 out of 10 on the CVSS scale, making it critical. Dmytro Oleksiuk, who discovered the flaw, told Threatpost that it exists in the firmware of Emulex Pilot 3. This baseboard-management controller is a service processor that monitors the physical state of a computer, network server or other hardware devices via specialized sensors.

Click to register!

Emulex Pilot 3 is used by various motherboards, which aggregate all the server components into one system. Also impacted are various server operating systems, and some Intel compute modules, which are electronic circuits, packaged onto a circuit board, that provide various functions.

The critical flaw stems from improper-authentication mechanisms in these Intel products before version 1.59.

In bypassing authentication, an attacker would be able to access to the KVM console of the server. The KVM console can access the system consoles of network devices to monitor and control their functionality. The KVM console is like a remote desktop implemented in the baseboard management controller – it provides an access point to the display, keyboard and mouse of the remote server, Oleksiuk told Threatpost.

The flaw is dangerous as it’s remotely exploitable, and attackers don’t need to be authenticated to exploit it – though they need to be located in the same network segment as the vulnerable server, Oleksiuk told Threatpost.

“The exploit is quite simple and very reliable because it’s a design flaw,” Oleksiuk told Threatpost.

Beyond this critical flaw, Intel also fixed bugs tied to 22 critical-, high-, medium- and low-severity CVEs affecting its server board, systems and compute modules. Other high-severity flaws include a heap-based overflow (CVE-2020-8730) that’s exploitable as an authenticated user; incorrect execution-assigned permissions in the file system (CVE-2020-8731); and a buffer overflow in daemon (CVE-2020-8707) — all three of which enable escalated privileges.

intel flaw

Click to enlarge.

Oleksiuk was credited with reporting CVE-2020-8708, as well as CVE-2020-8706, CVE-2020-8707. All other CVEs were found internally by Intel.

Affected server systems include: The R1000WT and R2000WT families, R1000SP, LSVRP and LR1304SP families and R1000WF and R2000WF families.

Impacted motherboards include: The S2600WT family, S2600CW family, S2600KP family, S2600TP family, S1200SP family, S2600WF family, S2600ST family and S2600BP family.

Finally, impacted compute modules include: The HNS2600KP family, HNS2600TP family and HNS2600BP family. More information regarding patches is available in Intel’s security advisory.

Intel also issued an array of other security advisories addressing high-severity flaws across its product lines, including ones that affect Intel Graphics Drivers, Intel’s RAID web console 3 for Windows, Intel Server Board M10JNP2SB and Intel NUCs.

#vulnerabilities #compute module #critical flaw #cve-2020-8708 #intel #intel critical flaw #intel flaw #intel motherboard #intel server board #patch #privilege escalation #security vulnerability #server system

Marcus Anthony

1612355729

Amazon Pay Clone, Amazon Pay Clone Script, Recharge & Wallet App Solution

Mobile wallet applications have become the new trend in today’s world. Apps like Amazon Pay, Paytm, PayPal are some of the leading apps that are owned and used by millions. Be it paying bills, recharging, or money transactions, everything has turned easier because of these apps. There were days when people used to travel for hours to do these tasks have been totally transformed. Moreover, consumers can use these e-wallet apps while paying in a store, either for shopping or while eating out. Thus, as far as mobile wallets are concerned, they are a convenient way for handling all the tasks involving finance.

As an aspiring entrepreneur, if you wish to succeed in your business, without second thoughts, go for Amazon Pay clone app development. Let’s narrow down your thinking processes for a quicker stride forward by analyzing the types of apps first.

Types of e-wallet apps you could develop:

Retail application: An app like Amazon is considered the retail app because it has a mobile wallet in it. It has all the basic functionalities, which helps users to redeem coupons and reward points. All the payment modes are accessible through the app, including net banking.

Dedicated app: The app allows P2P money transactions by storing a variety of cards. You could also make international money transfers using this app. Example: PayPal, Apple Pay, and Amazon Pay.

PoS payments: The PoS payment wallet apps are found at the stores. It is exclusively used by the users to make contactless payments without having to stand in a long queue.

Wrapping up,
Choose the best type of e-wallet app you want to develop and join forces with our Appdupe. Grab the cutting-edge Amazon Pay Clone script and launch an app in a week!

##amazon pay clone ##amazon pay clone script ##amazon pay clone app ##amazon pay clone app development ##amazon pay app clone ##amazon pay app clone development