Critical flaw in Apple TouchID/FaceID authentication could let potential hackers take complete control of your iCloud accounts
Apple introduced its now-popular TouchID/FaceID in iOS 13 and macOS10.15. With the introduction of TouchID/FaceID, Apple made it possible for its users to sign in to Safari on iPhones/iPads and MacBooks which have the required biometric hardware. A security researcher from Computest, Thijs Alkemade, found that he could exploit the Apple TouchID/FaceID biometric security feature to access the user’s iCloud account.
Signing into Apple websites requires 2-factor authentication. However, if TouchID/FaceID is used, the website bypasses the 2FA and allows the user to access the website. Alkemade found that he could exploit this feature to access Apple’s iCloud website. He says, “Although this vulnerability affects both macOS and iOS, with FaceID and TouchID and for all sites using AppleID logins, I will use iOS, TouchID, and https://icloud.com as the example. Keep in mind that the impact is larger than just this!”
How does Apple FaceID vulnerability work?
As said above, when an Apple product user into any Apple website that requires an Apple ID, the user is prompted to log in using Touch ID. Apple skips 2FA when the user uses TouchID for biometric authentication as the user is already verified through the device and fingerprint/face scan.
Alkemade found that during logins to Apple websites generally use an iframe pointing to Apple’s login validation server (“https://idmsa.apple.com”), which handles the authentication process. This iframe URL contains a “client_id” and a “redirect_uri.” When the user authenticates using TouchID/FaceID, the iFrame handles the data differently. It connects to the AuthKit daemon (akd) to verify the biometric authentication and all access to the user with a “grant_code.”
To authenticate the user in realtime, the daemon communicates with an Apple API on “gsa.apple.com.” The gsa.apple.com verifies the TouchID and issues the grant_code. Alkemade noted that he could abuse the gsa.apple.com API. “Even though the client_id and redirect_uri were included in the data submitted to it by akd, it did not check that the redirect URI matches the client ID,” Alkemade states in his blog post. “Instead, there was only a whitelist applied by AKAppSSOExtension on the domains. All domains ending with apple.com, icloud.com and icloud.com.cn were allowed.”
Even though URLs are included in the data sent by akd, the redirect URL is not verified to match the client ID, so any domain that ends with apple.com, icloud.com, or icloud.com.cn is allowed. Although this seems normal, it is necessary to remember that Apple has hundreds of domains, so potential hackers can deploy all kinds of attacks to redirect users to unsafe sites and thus gain control over compromised iCloud accounts.
Proof-of-Concept video for the Apple TouchID/FaceID vulnerability
Alkemade confirmed that Apple acknowledged the TouchID vulnerability and patched a flaw impacting its “Sign in with Apple” authentication with a serverside update.
Apple fixed this pretty quickly last week, the server now also correctly checks the redirect_uri for the API used by AKAppSSOExtension.
— Thijs Alkemade (@xnyhps) February 20, 2020