A security specialist at an IT firm Computest, Thijs Alkemade, found a security flaw in Apple’s Touch ID feature in February. This possible security breach could leave the iCloud accounts of the apple users vulnerable and accessible to the attackers when apple’s touch Id feature is used for verification.
According to the specialist, when user logins to any of the apple domains, the normal way to login is by entering an ID and password. For this, the iframe embedded in the website points to Apple’s login validation server, which is responsible for handling the authentication process. The iframe URL is made up of two components: the identification of the client “client_id” and a redirecting URI “redirect_uri” that redirects the page after successful authentication.
However, when the login is authenticated using Touch ID, it works a little differently. It means the two-factor authentication of a normal login is skipped, although it does include the two factors, that is, biometrics and the device of the user, which are considered for verification. The communication is done with Authkit Daemon, which is responsible for handling the biometric authentication and retrieving a token used by the apple domain to continue the process of logging In.
Daemon then sends the details of the request and the form which receives Daemon’s token to an API ‘gsa.apple.com’. It is this API ‘gsa.apple.com’ which contains the flaw. It leads to verification of the client ID without authentication by abusing the domain. The redirected URI matches the client Id without even being checked.
In simple words, logging in on any apple domain like safari and other apple products. Using the touch Id feature could lead to the vulnerability in the security system, which can enable the attackers to access the user’s iCloud account, which means access to personal data such as device back-ups, location, phone files and much more.
How the attacker can exploit this bug
Since the flaw has been reported, Apple has been reluctantly working on fixing it. The company has addressed the issue by launching a server-side update.