Apple will pay Rs 75 lakh to Delhi-based techie for finding security bug

NEW DELHI: Apple will pay $100,000 or around Rs 75 lakh to Delhi-based security researcher Bhavuk Jain for reporting a critical security bug in the new “Sign in with Apple” feature. The ‘Sign in with Apple’ feature was introduced with iOS 13, iPadOS 13, MacOS Catalina, WatchOS 6 and tvOS 13. Apple wanted to give more privacy to users while using third-party apps and websites. Instead of the user’s email ID, the ‘Sign with Apple’ feature logs in apps with the Apple ID.

“It allowed potential account takeovers on third party applications that use Sign in with Apple irrespective they are an Apple user or not,” he said in an interaction with The Times of India--GadgetsNow when asked about the severity of the bug.

“What if I say, your Email ID is all I need to take over your account on your favorite website or an app. Sounds scary, right? This is what a bug in Sign-in with Apple allowed me to do. This bug could have resulted in a full account takeover of user accounts on that third party application irrespective of a victim having a valid Apple ID or not,” explained the 27-year-old B.Tech in Electronics and Communications Engineering from Uttar Pradesh Technical University.

Jain is into full-time bug bounties for three years and has been awarded by Facebook, Yahoo, Google, Grab, Stackoverflow and Pinterest in the past for finding security vulnerabilities.

Jain claimed the bug hunting process in ‘Sign with Apple’ sound quite simple.

“It took me a day frankly,” he said.

When asked as to how Apple could have possibly overlooked such a rudimentary bug, he said, “It’s rare that these kinds of bugs exist. But it happens sometimes, basic issues are overlooked. Maybe Apple didn’t think this was possible.”

“They were quick in fixing it. After acknowledging the report, it was fixed within a few hours,” he added.

As far as the bounty is concerned, Jain did not have any information about the prize money before he had reported the issue to Apple. “They informed me about the bounty amount ($100,000) after the issue got fixed and the payment is under processing,” he said.