60°F

Aaron Parecki

  • Articles
  • Notes
  • Photos
  • Aaron Parecki
    I wrote an in-depth explanation of the "Sign In with Apple" Zero-Day that was revealed by a security researcher this weekend.

    The problem had nothing to do with OAuth or JWT, and you might be surprised at how simple the bug actually was.

    https://aaronparecki.com/2020/05/31/30/the-real-cause-of-the-sign-in-with-apple-zero-day
    Portland, Oregon • 65°F
    Mon, Jun 1, 2020 1:04pm -07:00 #apple #siwa
    29 likes 16 reposts 3 replies 3 mentions
    • Gerry Weißbach
    • bace16
    • Andreas Falk
    • Grant Le Brun
    • Brice G
    • theswayambhu
    • Tim Cappalli
    • Zander Work
    • Jaime Lopez
    • Dave Peck
    • Jérôme Baumgarten
    • sunnyesquire
    • Vladimir Dzhuvinov ๐Ÿ‡ช๐Ÿ‡บ ๐Ÿ‡ง๐Ÿ‡ฌ
    • Grégoire Molveau
    • Ahmed Sha'lan
    • Christophe Douy
    • pastel_clad
    • Jan Brennenstuhl
    • Ismael
    • FusionAuth
    • Ivan Dzheferov
    • Martin Herndl
    • Micah Silverman
    • Shinichi Tomita
    • Dima Postnikov
    • Bert Roex
    • Tonya Hall ๐Ÿฆ
    • Boris Mann
    • Alesandro Ortiz ๐Ÿ‡ต๐Ÿ‡ท๐Ÿณ๏ธ‍๐ŸŒˆ
    • Loeiz
    • Agile Security
    • André Wolski
    • 56
    • Jan Brennenstuhl
    • Micah Silverman
    • ๐Ÿ‘น็ง‹็”ฐใฎ็Œซ๐Ÿฑ
    • Johnny Wey
    • Christophe Douy
    • Matt Raible
    • Andreas Falk
    • OAuth 2.0
    • Kevin Marks
    • Jeremiah Lee
    • Tim Cappalli
    • Zander Work
    • Chris twitter.com/gonji96
      Am guilty of breaking rule #2 myself.
      Tue, Jun 2, 2020 3:48am +00:00 (via brid-gy.appspot.com)
    • Aaron Parecki twitter.com/aaronpk
      seriously! It's like one of the first things you learn when developing web apps. It's an embarrassing oversight frankly.
      Mon, Jun 1, 2020 9:30pm +00:00 (via brid-gy.appspot.com)
    • Not Fake Adam Kalsey twitter.com/akalsey
      One of my old security teachers had a saying: treat everything you get from the client as toxic. Assume itโ€™s false, malicious, and unsanitary until you can prove that it is not.
      Mon, Jun 1, 2020 9:21pm +00:00 (via brid-gy.appspot.com)

    Other Mentions

    • Tatsuo Kudo twitter.com/tkudos
      forums.developer.apple.com/thread/130197 ใซใ‚ใ‚‹ https://appleid .apple .com/appleauth/auth/oauth/authorize ใŒ "some server-side code at the authorization server that responds to the buttons the user presses" ใฆใ“ใจใ‹
      Tue, Jun 2, 2020 12:17am +00:00 (via brid-gy.appspot.com)
    • Vladimir Dzhuvinov ๐Ÿ‡ช๐Ÿ‡บ ๐Ÿ‡ง๐Ÿ‡ฌ twitter.com/dzhuvi
      Validate user input. Sounds simple and sensible until it gets forgotten.
      Mon, Jun 1, 2020 9:30pm +00:00 (via brid-gy.appspot.com)
    • Peter Saxton twitter.com/CrowdHailer
      Just sticking with the standard is the safest. OpenID that's how you work with did.app
      Mon, Jun 1, 2020 8:34pm +00:00 (via brid-gy.appspot.com)
Posted in /notes using quill.p3k.io

Hi, I'm Aaron Parecki, Director of Identity Standards at Okta, and co-founder of IndieWebCamp. I maintain oauth.net, write and consult about OAuth, and participate in the OAuth Working Group at the IETF. I also help people learn about video production and livestreaming. (detailed bio)

I've been tracking my location since 2008 and I wrote 100 songs in 100 days. I've spoken at conferences around the world about owning your data, OAuth, quantified self, and explained why R is a vowel. Read more.

  • Director of Identity Standards at Okta
  • IndieWebCamp Founder
  • OAuth WG Editor
  • OpenID Board Member

  • ๐ŸŽฅ YouTube Tutorials and Reviews
  • ๐Ÿ  We're building a triplex!
  • โญ๏ธ Life Stack
  • โš™๏ธ Home Automation
  • All
  • Articles
  • Bookmarks
  • Notes
  • Photos
  • Replies
  • Reviews
  • Trips
  • Videos
  • Contact
© 1999-2025 by Aaron Parecki. Powered by p3k. This site supports Webmention.
Except where otherwise noted, text content on this site is licensed under a Creative Commons Attribution 3.0 License.
IndieWebCamp Microformats Webmention W3C HTML5 Creative Commons
WeChat ID
aaronpk_tv