Aaron Parecki

Thanks! It's still in the works, but I'll definitely feature it on my stream when it's announced!

It's almost like they learned nothing from the mess of XML-based protocols

as someone who decided to switch to windows just for video editing, I agree with this list.

Except for: screen shots, there's a print screen button!

iMessage and Airdrop mean so many more hoops to get stuff from my phone to my laptop

seriously! It's like one of the first things you learn when developing web apps. It's an embarrassing oversight frankly.

holy crap, that even applies to using personal devices on company property.

which I guess isn't that significant right now but still.

Same, and some of them are from really suspicious looking Twitter accounts. I haven't clicked, but I'm wondering if the sites they promote are some sort of tracking network. Kinda want to dig into this now.

That's true, I noticed I have multiple me.com addresses on my account when I was making the screenshots and forgot to update this text to match. Still, the point is the same.

Posted a full writeup with a lot more details: https://aaronparecki.com/2020/05/31/30/the-real-cause-of-the-sign-in-with-apple-zero-day

Alright, it's up! https://aaronparecki.com/2020/05/31/30/the-real-cause-of-the-sign-in-with-apple-zero-day

lack of form validation

I should have replied to that one. It’s barely a logic bug using JWT. I’m writing up more details in a blog post, will post a link shortly.

This has almost nothing to do with JWTs, or even OpenID Connect for that matter.

The original post didn’t make this clear, so I’m writing a new post to hopefully better explain the problem. You’ll see that it has nothing to do with OIDC at all. Link coming shortly, I hope.

Please go read it again and understand the problem

Go read the writeup again. The original post wasn't the clearest explanation of the problem but I also posted some more details in this thread that make it clearer.

And? certification wouldn't have caught this bug since it wasn't a problem with the OIDC part of the exchange.

Yes! And that is *exactly* why I always advocate for pushing the complexity to the authorization server and keeping the client side simple. Fewer options for clients means fewer ways to mess it up, and there will always be more client developers than AS developers.

Yeah it's mainly a technical limitation of the platform we used for publishing it. If you send me a receipt, I'll send you the other format!

Nah this is more a demonstration of why sticking to standards is a good idea, and why building an authorization server isn't a project that should be taken lightly.