Aaron Parecki

#siwa

I wrote an in-depth explanation of the "Sign In with Apple" Zero-Day that was revealed by a security researcher this weekend.

The problem had nothing to do with OAuth or JWT, and you might be surprised at how simple the bug actually was.

https://aaronparecki.com/2020/05/31/30/the-real-cause-of-the-sign-in-with-apple-zero-day

Portland, Oregon • 65°F

29 likes 16 reposts 3 replies 3 mentions

#apple #siwa

Mon, Jun 1, 2020 1:04pm -07:00
The Real Cause of the Sign In with Apple Zero-Day

The zero-day bug in Sign In with Apple actually had nothing to do with the OAuth or OpenID Connect part of the Sign In with Apple exchange, and very little to do even with JWTs. Let's take a closer look to see what actually happened.
continue reading...

37 likes 19 reposts 1 bookmark 9 replies 25 mentions

#oauth #oidc #apple #siwa #security #zeroday

Sun, May 31, 2020 1:49pm -07:00
Hans Zandbelt https://twitter.com/hanszandbelt

So at first Apple shortcutted OIDC protocol steps in SIWA which rendered them insecure, after fixing that they went on to add extras on top of OIDC which now renders them insecure again. It should be clear to everyone now: don't roll your own. #openid #siwa

Portland, Oregon • 60°F

#openid #siwa

Sun, May 31, 2020 6:43pm +00:00 (liked on Sun, May 31, 2020 12:47pm -07:00)

next