New Sign in with Apple button bypasses 2FA, works on existing accounts?

:wave: Just noticed the new Sign in with Apple button on the dash.

It seems this will let you sign in to an existing Cloudflare account simply if the email address on the Apple account matches the email address on a Cloudflare account.

This seems like a major security issue, especially as it bypasses any 2FA configured on the Cloudflare account and lets you straight in?

Who’s to say what compromised Apple accounts are out there that match up with a Cloudflare account, and now give bad actors direct access to existing Cloudflare accounts?

And who’s to say what level of security folks may or may not have on their actual Apple accounts, given they can now bypass any 2FA configured specifically on one’s Cloudflare account?

It really feels like this should be opt-in, where you link up an Apple account to an existing Cloudflare account before the sign in flow works, and it’d be nice to see 2FA still be required, given users have specifically enabled it for Cloudflare.

Edit: See New Sign in with Apple button bypasses 2FA, works on existing accounts? - #2 by arunesh90 and New Sign in with Apple button bypasses 2FA, works on existing accounts? - #9 by matthew below – the JWT that is generated during this flow seems very vulnerable, and IMO, is a way more significant security concern than just that this flow exists and bypasses 2FA. That token seems to just work for 24hrs, no matter what happens.

11 Likes

To add to this, it appears that the login JWT that’s being created in this process can be used unlimited times to log into your account, while the token is also valid for an entire day.

During the Apple login process, check for the request that starts with https://dash.cloudflare.com/login/apple?oidcJwt - that same request can be repeated unlimited times for 24 hours to get back into your account without having to re-authenticate with Apple.

3 Likes

I was hoping to link to my existing Cloudflare account (which uses Hide My Email), but it just made a new Cloudflare account without any confirmation prompt. I’d been hoping to use it to replace my iCloud+ Hide My Email address with a Sign In With Apple address, which has stricter rules.

Unfortunately, it just made a fresh Cloudflare account, which is apparently impossible to delete. The deletion flow needs a password, which simply doesn’t exist on that account.

If someone at Cloudflare could help me delete the fresh account (ideally without making me wait a year to change the email on my primary account to it), that’d be very helpful.

Sign in with Apple already uses (and requires) 2FA, so unless you actually want more than two factors (which you might!) it makes sense to skip it. In my opinion, the logical default is to require TOTP for password-based authentication and skip it for SIWA authentication.

That being said, the lack of any confirmation prompts[1] for setting it up is bizarre, and the lack of any authentication[2] for setup is outright insane.


  1. “Would you like to create a new account with the ID [email protected]?” ↩︎

  2. “There is an existing account for [email protected]. Please sign in below to link it with Sign In With Apple.” ↩︎

The issue is more that this bypasses 2FA methods that you explicitly configured to use for Cloudflare, such as a specific Yubikey or another 2FA device you use for logging into Cloudflare.
Apple’s 2FA allows you to send a one-time token via SMS, which is arguably one of the least secure 2FA methods out there.

5 Likes

Ugh, I wasn’t aware of that. I certainly don’t have that enabled, as I agree SMS is a token effort at best.

For something as sensitive as a Cloudflare account, I’d also expect the ability to customize whether you need more than two factors. At any rate, this would be a lot less annoying if it at least asked for confirmation before setting things a certain way.

AFAIK it’s enabled on all Apple accounts. Go to icloud.com, sign in, and when asked for verification choose “Didn’t get a verification code”. Then it will present you with options to use SMS or a phone call.

Well, that’s unnerving.

Just to add, the JWT returned from the Apple sign-in flow is not only valid for 24hrs with unlimited uses across unlimited devices (as far as I can tell), meaning that if someone stole your browser history they could access your account with a full normal login session, but even if you change your password on the account the JWT remains valid (say if you suspected you’d had this token stolen). Yikes.

It seems that token is valid for 24hrs, with no revocation method at all?!

Thanks for bringing this up - I’m sharing this internally to make sure we review.

6 Likes

Hello all,

Upon internal review, these were determined to be valid, and we have patched them.
Using the Sign in with Apple flow will not bypass any existing Cloudflare 2FA setup, and we have reduced the time with you can get back into the account without re-authenticating with Apple.

17 Likes

Hi,

Regarding the sign in with apple button. If an account is created using the sign in with apple button it seems it is impossible to delete the account as it requires entering the password to the Cloudflare account. But the account password isn’t known and the apple id password does not work

Have you tried changing or resetting the password?

Thank you for this.

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.