Apple's implementation of Face ID or Touch ID biometric feature which authenticate users to log in to websites via Safari, and specifically users using Apple ID logins, has a severe flaw.
The flaw was uncovered back in February by a security specialist at Computest, and was responsibly reported to Apple through their disclosure program, which the iPhone maker promptly addressed in a recent server-side update.
Apple fixed the vulnerability last week, whereby the server will now also correctly check the redirect_uri for the API used by AKAppSSOExtension.
The Touch/Face ID Flaw further Explained
The flaw stems from when users try to sign in to a site that requires Apple ID, where a prompt is displayed for authentication of the login using Touch ID. It skips the required two-factor authentication, as it already seems to have a combination of two factors for identification, the device and biometric information.
While the usual process is with an Apple ID and password, requiring the website to embed an iframe pointing to Apple's login validation server to handle the authentication. The iframe URL also have two other parameters, a "client_id" identifying the service and a "redirect_uri" with the URL to be redirected to after verification.
In the situation that a user is validated using Touch ID, the iframe is handles it differently in that it communicates with the AuthKit daemon to process the biometric authentication and retrieve a token ("grant_code") which is used by icloud.com to continue the login process.
The daemon communicates with an API on "gsa.apple.com" which it sends the details of the request and also receives the token. Therefore, the flaw resides in the aforementioned gsa.apple.com API, which made it possible to abuse the domains to verify an ID without authentication.
How the Touch/Face ID Flaw could have been exploited
An attack could have been executed by simply embedding JavaScript on the webpage displayed when connecting to a Wi-Fi network for the first time via captive.apple.com, which could allow an attacker to access a user's account by accepting a TouchID prompt from the page.
It means that the attacker could also exploit the vulnerability on any of Apple's subdomains to run a malicious JavaScript code that can trigger a login prompt via the iCloud client ID, and using the grant token to get a session on icloud.com.
And it would have been possible to gain access to a number of iCloud accounts, which could have allowed the attackers access to backups of files, location of the user, and many other personal information.
No comments