One-click account hijack via Sign in with Apple on Reddit

A logic flaw in Reddit's "Sign in with Apple" integration let an attacker silently take over any Reddit account that had been linked to an Apple ID - no password needed, no notification sent, just a one-click takeover enabled by an OAuth flow that didn't validate what it should.

The Target

Reddit is one of the largest social platforms on the internet. Like many modern applications, it offers social sign-in options - including "Sign in with Apple" - to let users authenticate without a password. The integration follows the OAuth 2.0 / OpenID Connect pattern: Apple issues a signed identity token to Reddit, and Reddit uses the identity information in that token to log the user in or link accounts.

Social sign-in flows are complex, and complexity is where security bugs live. The attack surface here was Reddit's server-side logic for handling Apple's identity token and correlating it with Reddit accounts.

The Vulnerability

The vulnerability was an account takeover via a broken authentication flow in the "Sign in with Apple" integration. The flaw allowed an attacker to authenticate to Reddit as any user whose Reddit account was linked to an Apple ID, without knowing the victim's password, email address, or Apple credentials.

The precise technical detail requires reading the canonical report, but broken OAuth and social sign-in implementations commonly fail in one of several ways: they trust a user-supplied identifier (such as an email address) without verifying the cryptographic signature on the token, they fail to validate the aud (audience) claim in the identity token, they accept tokens issued for a different application, or they allow an attacker to replay a token for a different user account. In Reddit's case, the flow contained a logic error that could be exploited to authenticate as an arbitrary Apple-linked account.

The attack was a "one-click" takeover - meaning the attacker did not need to interact with the victim at all. Once inside the account, the attacker has full control: post history, private messages, subscriptions, any linked payment methods, and the ability to delete or deface the account.

How It Was Found

Social sign-in flows are best tested by carefully tracing every parameter in the OAuth exchange and probing what happens when those parameters are manipulated. The standard methodology includes:

• Capturing the full OAuth flow using a proxy (Burp Suite) and inspecting every request and response.
• Testing whether the identity token's signature is actually verified server-side.
• Testing whether the sub (subject), aud (audience), or email claim can be substituted with another user's values.
• Testing whether a token issued during one sign-in session can be replayed or modified to authenticate as a different user.

An illustrative probe of the token-handling endpoint:

POST /api/auth/apple/callback HTTP/1.1
Host: www.reddit.com
Content-Type: application/x-www-form-urlencoded
 
code=APPLE_AUTH_CODE&id_token=<JWT_with_manipulated_sub_or_email_claim>&state=CSRF_TOKEN

By modifying the identity claims in the token (or by abusing the server's reliance on user-supplied data over token-verified data), the researcher was able to authenticate as an account other than their own.

Impact

• Full account takeover for any Reddit account linked to an Apple ID - the attacker gains complete, authenticated access to the victim's account.
• No interaction required from the victim - the attack is entirely server-side once the attacker initiates the manipulated OAuth flow.
• Access to private messages, moderation privileges (for moderators), post and comment history, account settings, and any linked payment or advertising accounts.
• Reddit has hundreds of millions of accounts; accounts linked to "Sign in with Apple" represent a significant subset of that user base.
• The vulnerability is particularly impactful because victims have no indication the takeover occurred - no password-reset email, no unusual login notification from Apple.

The Fix

Secure implementation of "Sign in with Apple" (and OAuth social sign-in generally) requires strict adherence to the specification:

1. Verify the JWT signature on every identity token using Apple's published public keys (fetched from https://appleid.apple.com/auth/keys) - never trust token claims without cryptographic verification.
2. Validate the aud claim - confirm the token was issued specifically for your application's client ID, not for another app.
3. Validate the iss claim - confirm the issuer is https://appleid.apple.com.
4. Use the sub claim as the authoritative account identifier - it is a stable, Apple-issued identifier tied to the Apple account, not user-modifiable data like email.
5. Check token expiry (exp claim) and reject expired tokens to prevent replay attacks.
6. Bind the OAuth state parameter to the user's session and validate it on callback to prevent CSRF against the OAuth flow.

What You Can Learn

• Social sign-in flows are complex and frequently buggy. Every parameter in the OAuth exchange - code, token, state, user data - is a potential attack surface; test all of them.
• JWT signature verification is not optional. Applications that use JWTs but don't verify the signature are trusting attacker-controlled data; the alg: none trick and claim substitution both rely on missing verification.
• Account linkage creates new attack surfaces. When a user links a social account, the linking logic must be as rigorous as the authentication logic - both must verify the user's identity before acting.
• "Sign in with X" bugs tend to be critical. Unlike a password credential that exposes one account, a broken social sign-in often enables mass account takeover across all linked accounts.
• Audience (aud) validation prevents cross-app token reuse. A token issued for App A should never authenticate a user to App B - validating aud is what enforces this boundary.