Aaron Parecki

#siwa

• 

  I wrote an in-depth explanation of the "Sign In with Apple" Zero-Day that was revealed by a security researcher this weekend.
  
  The problem had nothing to do with OAuth or JWT, and you might be surprised at how simple the bug actually was.
  
  https://aaronparecki.com/2020/05/31/30/the-real-cause-of-the-sign-in-with-apple-zero-day

  Portland, Oregon • 65°F

  29 likes 16 reposts 3 replies 3 mentions

  #apple #siwa

  Mon, Jun 1, 2020 1:04pm -07:00

• The Real Cause of the Sign In with Apple Zero-Day

  

  The zero-day bug in Sign In with Apple actually had nothing to do with the OAuth or OpenID Connect part of the Sign In with Apple exchange, and very little to do even with JWTs. Let's take a closer look to see what actually happened.

  continue reading...

  37 likes 19 reposts 1 bookmark 9 replies 25 mentions

  #oauth #oidc #apple #siwa #security #zeroday

  Sun, May 31, 2020 1:49pm -07:00
• Hans Zandbelt https://twitter.com/hanszandbelt

  So at first Apple shortcutted OIDC protocol steps in SIWA which rendered them insecure, after fixing that they went on to add extras on top of OIDC which now renders them insecure again. It should be clear to everyone now: don't roll your own. #openid #siwa

  Portland, Oregon • 60°F

  #openid #siwa

  Sun, May 31, 2020 6:43pm +00:00 (liked on Sun, May 31, 2020 12:47pm -07:00)