I wrote an in-depth explanation of the "Sign In with Apple" ... • Aaron Parecki

49°F

I wrote an in-depth explanation of the "Sign In with Apple" Zero-Day that was revealed by a security researcher this weekend.

The problem had nothing to do with OAuth or JWT, and you might be surprised at how simple the bug actually was.

https://aaronparecki.com/2020/05/31/30/the-real-cause-of-the-sign-in-with-apple-zero-day

Portland, Oregon • 65°F

#apple #siwa

Mon, Jun 1, 2020 1:04pm -07:00

29 likes 16 reposts 3 replies 3 mentions
Have you written a response to this? Let me know the URL:
- Chris twitter.com/gonji96
  
  Am guilty of breaking rule #2 myself.
  
  Tue, Jun 2, 2020 3:48am +00:00 (via brid-gy.appspot.com)
- Aaron Parecki twitter.com/aaronpk
  
  seriously! It's like one of the first things you learn when developing web apps. It's an embarrassing oversight frankly.
  
  Mon, Jun 1, 2020 9:30pm +00:00 (via brid-gy.appspot.com)
- Not Fake Adam Kalsey twitter.com/akalsey
  
  One of my old security teachers had a saying: treat everything you get from the client as toxic. Assume it’s false, malicious, and unsanitary until you can prove that it is not.
  
  Mon, Jun 1, 2020 9:21pm +00:00 (via brid-gy.appspot.com)
Other Mentions
- Tatsuo Kudo twitter.com/tkudos
  
  forums.developer.apple.com/thread/130197 にある https://appleid .apple .com/appleauth/auth/oauth/authorize が "some server-side code at the authorization server that responds to the buttons the user presses" てことか
  
  Tue, Jun 2, 2020 12:17am +00:00 (via brid-gy.appspot.com)
- Vladimir Dzhuvinov 🇪🇺 🇧🇬 twitter.com/dzhuvi
  
  Validate user input. Sounds simple and sensible until it gets forgotten.
  
  Mon, Jun 1, 2020 9:30pm +00:00 (via brid-gy.appspot.com)
- Peter Saxton twitter.com/CrowdHailer
  
  Just sticking with the standard is the safest. OpenID that's how you work with did.app
  
  Mon, Jun 1, 2020 8:34pm +00:00 (via brid-gy.appspot.com)

Posted in /notes using quill.p3k.io