Apple pays 27-year-old Indian bug hunter over Rs 75 lakh for spotting flaw in its sign-in process

An Indian developer has earned over Rs 75 lakh from Apple Security Bounty Programme for spotting a bug in the signing-in process that used Apple ID.

The bug was related to the process that allowed an iPhone or Mac user to use the Apple ID to log into a third-party website. Indian bug bounty hunter and developer Bhavuk Jain, 27, spotted a vulnerability that would let any hacker break into Apple user’s accounts who logged into third-party apps like Dropbox, Spotify, Airbnb, and Giphy (now acquired by Facebook) and more.

Jain discovered a bug in "Sign In With Apple" that affected third party applications that were using it.

"This bug could have resulted in a full account takeover of user accounts on that third party application irrespective of a victim having a valid Apple ID or not," Jain noted on his blog.

Jain, who holds a bachelor’s degree in electronics and communication, was paid around $100,000 or little over Rs 75 lakh under Apple Security Bounty Programme.

Jain is a full-stack developer interested mostly in mobile app development using React Native. He is currently a full-time bug bounty hunter "trying to make the internet a safer place for everyone", news agency IANS noted.

Sign In With Apple was launched in 2019 for more privacy focussed logins for third-party apps.

"In the month of April, I found a zero-day in Sign in with Apple that affected third-party applications that were using it and didn’t implement their own additional security measures. This bug could have resulted in a full account takeover of user accounts on that third party application irrespective of a victim having a valid Apple ID or not," Jain wrote on his blog.

Giving out the technical details, Jain in his blog post wrote that Sign in with Apple works similar to OAuth 2.0.

The bug, Jain said, was quite critical as it allowed a full account takeover if there weren’t any security measures in place while verifying a user. Sign In With Apple is mandatory for applications that support other social logins, such as those offered by Google or Facebook.

Jain’s blog stated that Apple confirmed that there was no misuse or account compromise due to the vulnerability.

Almost all big tech companies run bug-bounty programmes where they award money to people who find security bugs or flaws in their services and applications.

This is not the first time an Indian developer has received a big bounty for finding a bug. Although, Jain’s bounty from Apple is definitely one of the biggest an Indian developer has received so far. In the past, companies Google and Facebook have paid lakhs of rupees to Indian developers for finding bugs.