Indian finds bug in Apple, gets Rs 75 lakh

whitestar_999

Super Moderator
Staff member
Source: Apple Bug Bounty: Indian finds bug in Apple, gets Rs 75 lakh | India Business News - Times of India

Apple has awarded Indian bug bounty hunter Bhavuk Jain Rs 75 lakh ($100,000) under its bug bounty programme after he found a bug in the `Sign in with Apple' account authentication that would have allowed an attacker to take control of users' account on third-party applications.
The 27-year-old developer spotted a bug in April and soon after, Apple fixed the vulnerability.
“The impact of this vulnerability was quite critical as it could have allowed full account takeover. A lot of developers have integrated `Sign in with Apple' since it is mandatory for applications that support other social logins. To name a few that use `Sign in with Apple' - Dropbox, Spotify, Airbnb, Giphy (Now acquired by Facebook). These applications were not tested but could have been vulnerable to a full account takeover if there weren’t any other security measures in place while verifying a user,” Jain wrote on a blog.
Jain holds a bachelor’s degree in electronics and communication. A full-stack developer, Jain is interested mostly in mobile app development using React Native. He has won several rewards from Facebook, Google, Grab, Stack Overflow and Pinterest for finding security vulnerabilities on their platforms.
Bug bounty hunting is becoming big business. In 2019, hackers like Jain earned nearly $40 million in bounties, almost equal to the entire amount awarded in all prior years combined, according to bug bounty platform HackerOne's latest report. Hackers in India earned the second most from such hunting - 10% of the total, behind the US at 19%.
The `Sign in with Apple' button on a participating app or website allows users to set up an account and sign in with their Apple ID, instead of creating a separate account for the app or website. Users can sign in quickly and securely with Apple's Face ID, Touch ID, or their device passcode.
Jain said there are two possible ways to authenticate on `Sign in with Apple', either by using a JWT (JSON Web Token) or a code generated by the Apple server. The code is then used to generate a JWT, an internet standard to secure transfer of information between two parties. “I found I could request JWTs for any email ID from Apple and when the signature of these tokens was verified using Apple’s public key, they showed as valid. This means an attacker could forge a JWT by linking any email ID to it and gaining access to the victim’s account,” Jain wrote in his blog. He said Apple also did an investigation of their logs and determined there was no misuse or account compromise due to this vulnerability.
Ironically people like him don't get any attention at all in IT Communications Ministry & forget about consulting such people, govt babus will most likely not even meet them if they request for a meeting & that is why India will never become a major power in cyber warfare as long as this mindset continues.

@Desmond David @Nerevarine @omega44-xt @SaiyanGoku
 

Desmond David

Destroy Erase Improve
Staff member
Admin
Source: Apple Bug Bounty: Indian finds bug in Apple, gets Rs 75 lakh | India Business News - Times of India



Ironically people like him don't get any attention at all in IT Communications Ministry & forget about consulting such people, govt babus will most likely not even meet them if they request for a meeting & that is why India will never become a major power in cyber warfare as long as this mindset continues.

@Desmond David @Nerevarine @omega44-xt @SaiyanGoku
Wow. Bug bounty programmes are serious business.

In India, if you report such a thing, you'll most likely be jailed for hacking lol.

Sent from my GM1911 using Tapatalk
 

thetechfreak

Legend Never Ends
Wow. Bug bounty programmes are serious business.

In India, if you report such a thing, you'll most likely be jailed for hacking lol.

Sent from my GM1911 using Tapatalk
Yeah it's one thing Apple, Facebook etc take seriously. Payouts depends of severity but they do pay out most of the time.

Sent from my vivo 1807 using Tapatalk
 

SaiyanGoku

kamehameha!!
Source: Apple Bug Bounty: Indian finds bug in Apple, gets Rs 75 lakh | India Business News - Times of India



Ironically people like him don't get any attention at all in IT Communications Ministry & forget about consulting such people, govt babus will most likely not even meet them if they request for a meeting & that is why India will never become a major power in cyber warfare as long as this mindset continues.

@Desmond David @Nerevarine @omega44-xt @SaiyanGoku
Babus don't care about white hats or black hats until govt. websites gets hacked. :(
Its a cost cutting measure and "chalta hai" attitude which prevents devs from getting country level recognition by the ministry.
 
OP
W

whitestar_999

Super Moderator
Staff member
Babus don't care about white hats or black hats until govt. websites gets hacked. :(
Its a cost cutting measure and "chalta hai" attitude which prevents devs from getting country level recognition by the ministry.
Most babus don't even know, they probably think white hats represents seniority over black hats. :lol:
 
Top