Apple授权过程的任意账号登录漏洞分析报告<\/h1>

1. 前置知识<\/h2>

1.1 JWT组成<\/h3>

JSON Web Token (JWT)由三部分组成：<\/p>

Header<\/strong>：包含算法(alg)和令牌类型(typ)<\/li>
Payload<\/strong>：包含声明(claims)如用户信息、过期时间等<\/li>

Signature<\/strong>：用于验证消息完整性和真实性<\/li> <\/ul>
格式：Base64UrlEncode(Header).Base64UrlEncode(Payload).Signature<\/code><\/p>
示例JWT解码后：<\/p>
{ <\/span><\/span> "alg"<\/span>: "HS512"<\/span>, <\/span><\/span> "typ"<\/span>: "JWT"<\/span> <\/span><\/span>} <\/span><\/span>{ <\/span><\/span> "iat"<\/span>: 1586525277<\/span>, <\/span><\/span> "admin"<\/span>: "false"<\/span>, <\/span><\/span> "user"<\/span>: "Jerry"<\/span> <\/span><\/span>} <\/span><\/span><\/code><\/pre>1.2 Sign in with Apple简介<\/h3> 苹果提供的OAuth 2.0类似授权服务，允许用户使用Apple ID登录第三方应用\/网站。<\/p> 主要特点<\/strong>：<\/p> 隐私保护：可选择隐藏真实邮箱，使用Apple私密邮件中转服务<\/li> 安全性：内置双重认证，支持Face ID\/Touch ID<\/li> 强制性：支持其他社交登录的应用必须同时支持Apple登录<\/li> <\/ul> 用户信息共享<\/strong>：<\/p> 用户姓名<\/li> 用户电子邮件地址（可选择真实邮箱或Apple中转邮箱）<\/li> <\/ol> 2. 漏洞详情<\/h2> 2.1 漏洞发现<\/h3> 发现者：Bhavuk Jain (2020年4月)<\/li> 赏金：$100,000 (Apple Security Bounty计划)<\/li> 影响：任意账号接管(account takeover)<\/li> <\/ul> 2.2 漏洞原理<\/h3> 在授权流程的第2步(Authorization Granted)，攻击者可构造恶意请求：<\/p> POST<\/span> \/XXXX\/XXXX HTTP<\/span>\/<\/span>1.1<\/span> <\/span><\/span>Host:<\/span> appleid.apple.com<\/span> <\/span><\/span> <\/span><\/span>{"email":"任意邮箱地址"} <\/span><\/span><\/code><\/pre>漏洞点<\/strong>：<\/p> 仅验证JWT签名，未验证邮箱所有权<\/li> 请求参数过于简单，缺乏nonce等安全参数<\/li> 返回包含该邮箱的有效JWT，导致账号接管<\/li> <\/ul> 2.3 影响范围<\/h3> 理论上所有集成"Sign in with Apple"的应用，包括：<\/p> Adobe<\/li> TikTok<\/li> Dropbox<\/li> Spotify<\/li> Airbnb<\/li> 微博海外版等<\/li> <\/ul> 3. 授权流程分析<\/h2> 3.1 正常流程（6步）<\/h3> 授权请求(Authorization Request)<\/li> 授权授予(Authorization Granted) ← 漏洞所在<\/li> 访问令牌请求(Access Token Request)<\/li> 访问令牌响应(Access Token Response)<\/li> API调用(API Call)<\/li> 资源响应(Resource Response)<\/li> <\/ol> 3.2 正常JWT Payload示例<\/h3> { <\/span><\/span> "iss"<\/span>: "https:\/\/appleid.apple.com"<\/span>, <\/span><\/span> "aud"<\/span>: "com.XXXX.weblogin"<\/span>, <\/span><\/span> "exp"<\/span>: 158<\/span>XXXXXXX<\/span>, <\/span><\/span> "iat"<\/span>: 158<\/span>XXXXXXX<\/span>, <\/span><\/span> "sub"<\/span>: "XXXX.XXXXX.XXXX"<\/span>, <\/span><\/span> "c_hash"<\/span>: "FJXwx9EHQqXXXXXXXX"<\/span>, <\/span><\/span> "email"<\/span>: "contact@bhavukjain.com"<\/span>, \/\/ 或中转邮箱 <\/span><\/span><\/span><\/span> "email_verified"<\/span>: "true"<\/span>, <\/span><\/span> "auth_time"<\/span>: 158<\/span>XXXXXXX<\/span>, <\/span><\/span> "nonce_supported"<\/span>: true<\/span> <\/span><\/span>} <\/span><\/span><\/code><\/pre>4. 修复方案<\/h2> Apple修复后的授权请求：<\/p> POST<\/span> \/appleauth\/auth\/oauth\/authorize HTTP<\/span>\/<\/span>1.1<\/span> <\/span><\/span>Host:<\/span> appleid.apple.com<\/span> <\/span><\/span>...<\/span> [其他头部信息] ...<\/span> <\/span><\/span>Content-Type:<\/span> application\/json<\/span> <\/span><\/span> <\/span><\/span>{ <\/span><\/span> "client"<\/span>: { <\/span><\/span> "id"<\/span>: "notion.signin"<\/span>, <\/span><\/span> "redirectUri"<\/span>: "https:\/\/www.notion.so\/applepopupcallback"<\/span> <\/span><\/span> }, <\/span><\/span> "scopes"<\/span>: [], <\/span><\/span> "state"<\/span>: "eyJjYWxsYmFj..."<\/span>, <\/span><\/span> "anonymousEmail"<\/span>: true<\/span>, <\/span><\/span> "nonce"<\/span>: "493758775e30f12a539b31bbad9d397792f725c55be255b3"<\/span>, <\/span><\/span> "responseMode"<\/span>: "form_post"<\/span>, <\/span><\/span> "responseType"<\/span>: "code"<\/span>, <\/span><\/span> "email"<\/span>: "yourmail1@icloud.com"<\/span> <\/span><\/span>} <\/span><\/span><\/code><\/pre>关键修复点<\/strong>：<\/p> 增加nonce参数防止重放攻击<\/li> 添加encryptedToken增强安全性<\/li> 完善请求参数校验机制<\/li> 增加state参数维护会话状态<\/li> <\/ol> 5. 安全建议<\/h2> 5.1 对OAuth服务提供者的建议<\/h3> 严格验证所有客户端提交的参数<\/li> 实现完整的OAuth 2.0安全规范<\/li> 增加关键操作的二次验证<\/li> 实施完善的日志监控机制<\/li> <\/ol> 5.2 对第三方应用开发者的建议<\/h3> 实现多因素认证机制<\/li> 监控异常登录行为<\/li> 定期审计集成代码<\/li> 及时更新SDK和依赖库<\/li> <\/ol> 6. 总结<\/h2> 此漏洞揭示了OAuth实现中的常见问题：<\/p> 协议实现不完整导致安全缺陷<\/li> 参数验证不严格引发逻辑漏洞<\/li> 身份验证与授权分离的风险<\/li> <\/ol> 核心教训<\/strong>：即使使用标准协议，实现细节中的安全疏漏仍可能导致严重漏洞。安全开发需要全面考虑协议规范的所有方面，并实施深度防御策略。<\/p>