Leak in Apple websites with login via Touch ID
This specifically concerns websites such as iCloud.com and AppleID.apple.com. Logging in to these websites is based on OAuth2, a means by which you can log in to websites. But once you do this with biometric data like Touch ID, the verification is done in a different way than usual. A hacker can therefore log in to a user’s account, without the need for an Apple ID or password.
The execution of the leak is rather technical. Normally, when opening an Apple website, a so-called client ID (in other words, a user identification number) is verified with a redirect, in order to check whether it is lawful to log into the website. For example, Touch ID uses a different process, whereby the client ID is not verified. This way uses a so-called whitelist of Apple domains, so you are automatically allowed to log in. When using Touch ID, for example, an Apple domain does not ask for two-factor authentication.
Now that Apple has closed the leak, it is no longer possible to exploit this vulnerability. The investigator reported the leak to Apple earlier this year. After the fix, the server checks whether the client ID can actually be verified to log in, as is normally the case with OAuth2.