Apple’s Touch Id- a possible gateway to your iCloud account?
A security specialist at an IT firm Computest, Thijs Alkemade, found a security flaw in Apple’s Touch ID feature in February. This possible security breach could leave the iCloud accounts of the apple users vulnerable and accessible to the attackers when apple’s touch Id feature is used for verification.
Authentication Flaw
According to the specialist, when user logins to any of the apple domains, the normal way to login is by entering an ID and password. For this, the iframe embedded in the website points to Apple’s login validation server, which is responsible for handling the authentication process. The iframe URL is made up of two components: the identification of the client “client_id” and a redirecting URI “redirect_uri” that redirects the page after successful authentication.
However, when the login is authenticated using Touch ID, it works a little differently. It means the two-factor authentication of a normal login is skipped, although it does include the two factors, that is, biometrics and the device of the user, which are considered for verification. The communication is done with Authkit Daemon, which is responsible for handling the biometric authentication and retrieving a token used by the apple domain to continue the process of logging In.
Daemon then sends the details of the request and the form which receives Daemon’s token to an API ‘gsa.apple.com’. It is this API ‘gsa.apple.com’ which contains the flaw. It leads to verification of the client ID without authentication by abusing the domain. The redirected URI matches the client Id without even being checked.
It means that the attacker is in power to exploit the vulnerability on any Apple subdomain to run malicious snippets of JavaScript that could trigger a login prompt using the client’s ID on iCloud and can use the grant taken to obtain a session on client’s iCloud successfully.
In simple words, logging in on any apple domain like safari and other apple products. Using the touch Id feature could lead to the vulnerability in the security system, which can enable the attackers to access the user’s iCloud account, which means access to personal data such as device back-ups, location, phone files and much more.
How the attacker can exploit this bug
According to Alkemade, the embedded JavaScript on a web page is displayed when the device is connected to a wi-fi network for the first time, which ultimately allows access to the client’s account by accepting touch Id from that page.
OAuth is initiated as iCloud when the wi-fi network responds with JavaScript, and a touch Id prompt is generated, which is usually unclear to the user about what is implied. However, when it is successfully authenticated, the session token is directed to the malicious site, which gives access to the iCloud account and thus personal data. The breach is most likely to happen in areas where accessing a large number of iCloud accounts is possible, like airports, hotels, train stations, and other public space. Pretentious hotspots are created to access the targeted information.
Since the flaw has been reported, Apple has been reluctantly working on fixing it. The company has addressed the issue by launching a server-side update.
