Welcome back to this week's security bulletin!
We can log into many software using personal accounts like Gmail, Facebook, and Apple. Some of them are Dropbox, Spotify, Airbnb, and Giphy. You may see the "Sign in with Apple" option, and a researcher found a critical bug that could take over your account.
This vulnerability allows the attackers to bypass authentication and take over targeted users' accounts on apps registered using 'Sign in with Apple' option and the third-party services.
This feature was introduced last year, and it helps users to sign up an account with a third-party app without revealing their original email address. When authenticating users via "Sign in with Apple", JSON Web Token (JWT) with secret information is generated by the server that the third-party application uses to confirm the user's identity.
Apple asks users to log in to their account before initiating the request. After successful authorization, it creates a JWT which contains the user's Email ID, and then that is used by the third-party app to log in a user. But it does not validate if the same person is requesting JSON Web Token (JWT) in the next step from its authentication server.
The researcher said, "I found I could request JWTs for any Email ID from Apple, and when the signature of these tokens was verified using Apple's public key, they showed as valid. That means an attacker could forge a JWT by linking any Email ID and gaining access to the victim's account."
"The impact of this vulnerability was quite critical as it could have allowed a full account takeover. Many developers have integrated Sign in with Apple since it is mandatory for applications that support other social logins", He added.
Although Apple has patched this vulnerability, It will be better to use two-factor authentication while using social logins.
Another vulnerability is discovered in Android that let malicious apps masquerade as any other app installed on a device to display fake interfaces to the users to steal sensitive information. It is tracked as CVE-2020-0096, and affected versions are Android-8.0 Android-8.1 Android-9.
When a user taps the legitimate application, the malicious app run in the background and display fake interface by hijacking task. This flaw is very dangerous because:
- It is almost impossible to spot the attack by targeted users,
- It can be used to hijack any application interface installed on a targeted device without the need of configuration,
- It can be used to request permissions for any device fraudulently,
- It can be exploited without root access,
- It works on all Android versions, except Q.
- It doesn't need any special permission to work on the device.
You can track these attacks by keeping an eye on:
- the applications that you have already logged in and requests to log in again,
- permission popups without application name,
- buttons and links in the user interface that does nothing when clicked,
- permissions requested by the applications that do not require it, etc.