Apple Touch ID Flaw Could Have Let Attackers Hijack iCloud Accounts

Apple earlier this 12 months set a security vulnerability in iOS and macOS that could have likely authorized an attacker to acquire unauthorized entry to a user’s iCloud account.

Uncovered in February by Thijs Alkemade, a security expert at IT stability company Computest, the flaw resided in Apple’s implementation of TouchID (or FaceID) biometric function that authenticated buyers to log in to web-sites on Safari, precisely those people that use Apple ID logins.

Just after the issue was described to Apple via their dependable disclosure application, the Apple iphone maker resolved the vulnerability in a server-side update.

An Authentication Flaw

The central premise of the flaw is as follows. When consumers check out to signal in to a web site that involves an Apple ID, a prompt is shown to authenticate the login working with Contact ID. Undertaking so skips the two-component authentication move due to the fact it currently leverages a mix of elements for identification, this kind of as the gadget (anything you have) and the biometric information (something you are).


Contrast this during logins to Apple domains (e.g. “”) the usual way with an ID and password, whereby the web page embeds an iframe pointing to Apple’s login validation server (“”), which handles the authentication procedure.

Apple Touch ID Flaw

A shown in the movie demonstration, the iframe URL also contains two other parameters — a “shopper_id” pinpointing the support (e.g., iCloud) and a “redirect_uri” that has the URL to be redirected to just after productive verification.

But in the scenario the place a person is validated making use of TouchID, the iframe is managed in different ways in that it communicates with the AuthKit daemon (akd) to handle the biometric authentication and subsequently retrieve a token (“grant_code”) that is utilized by the webpage to proceed the login method.

To do this, the daemon communicates with an API on “,” to which it sends the information of the ask for and from which it gets the token.

The stability flaw learned by Computest resides in the aforementioned API, which created it theoretically doable to abuse those people domains to validate a customer ID without authentication.

“Even although the client_id and redirect_uri were included in the data submitted to it by akd, it did not check out that the redirect URI matches the client ID,” Alkemade famous. “Rather, there was only a whitelist utilized by AKAppSSOExtension on the domains. All domains ending with, and had been authorized.”

Apple Touch ID Flaw

This indicates that an attacker could exploit a cross-web-site scripting vulnerability on any a person of Apple’s subdomains to operate a destructive snippet of JavaScript code that can set off a login prompt applying the iCloud consumer ID, and use the grant token to attain a session on

Placing Up Bogus Hotspots to Just take Above iCloud Accounts

In a different situation, the attack could be executed by embedding JavaScript on the website web site that is displayed when connecting to a Wi-Fi network for the 1st time (by way of “”), therefore allowing an attacker accessibility to a user’s account by just accepting a TouchID prompt from that website page.

“A malicious Wi-Fi community could answer with a page with JavaScript which initiates OAuth as iCloud,” Alkemade stated. “The person receives a TouchID prompt, but it can be incredibly unclear what it implies. If the person authenticates on that prompt, their session token will be sent to the malicious web site, offering the attacker a session for their account on iCloud.”

“By location up a pretend hotspot in a area where users anticipate to receive a captive portal (for illustration at an airport, hotel or teach station), it would have been possible to achieve accessibility to a substantial selection of iCloud accounts, which would have allowed entry to backups of pics, locale of the cell phone, data files and substantially additional,” he included.

This is not the very first time security troubles have been located in Apple’s authentication infrastructure. In Might, Apple patched a flaw impacting its “Indication in with Apple” system that could have built it doable for remote attackers to bypass authentication and take around specific users’ accounts on third-get together products and services and apps that have been registered employing Apple’s indicator-in possibility.

Fibo Quantum