Researcher was able to access Apple accounts due to vulnerability in TouchID – Tablets and phones – News

A Dutch security researcher has discovered a vulnerability in the feature to log in to Apple sites and iCloud with TouchID. This allowed him to take over accounts. Exploitation also required vulnerability on Apple websites. The leak has since been closed.

The leak was in pages where users could log in with their Apple ID, specifically domains ending in apple.com, icloud.com and icloud.com.cn. Logging into an iCloud account is done on the basis of OAuth2, which with a redirecthate verifies whether a client ID can lawfully log in to an Apple page. Security researcher Thijs Alkemade from Computest discovered however that that verification runs differently when a user logs in with TouchID. A vulnerability in it would allow third parties to log into user accounts.

When logging in with TouchID, a process called AKAppSSOExtension is called, which communicates with AuthKit daemon or akd. This process does not verify the client ID via the redirect uri. Instead, a whitelist is used that automatically passes all apple.com, icloud.com and icloud.com.cn domains. According to Alkemade, it would theoretically be possible to abuse those domains to have a client ID verified without authentication.

However, it does require running JavaScript on the domain or a subdomain. That makes an attack difficult in practice. For example, an attacker must take over a subdomain, or find a cross-site scripting bug on it. A subdomain that can be visited via an http connection would also be vulnerable.

Alkemade describes various methods for exploiting the leak in practice. “The attack could be executed from the page that opens automatically when you are on a Wi-Fi network where you first have to accept conditions, such as often for the networks in a hotel or at an airport,” he says. “That automatically opens captive.apple.com, allowing users to accept an attacker access to their account by only accepting a TouchID prompt from that page.”

Alkemade reported the leak to Apple earlier this year. The company has since resolved the vulnerability. The authentication server no longer uses a whitelist, but checks whether the client ID can be authenticated.

–