Dominick Baier · May 31, 2020 · 8:19 AM UTC

Dominick Baier

Dominick Baier @leastprivilege

31 May 2020

Zero-day in Sign in with Apple bhavukjain.com/blog/2020/05/…

Torsten Lodderstedt · May 31, 2020 · 11:29 AM UTC

Torsten Lodderstedt @tlodderstedt

31 May 2020

if I understand correctly, the token request accepted an alternative email claim value and used it to override the value on Apple’s IDP. Really?

Aaron Parecki · May 31, 2020 · 12:37 PM UTC

Aaron Parecki · May 31, 2020 · 12:37 PM UTC

Aaron Parecki @aaronpk

31 May 2020

Replying to @tlodderstedt @leastprivilege

If I'm reading it right it's not the token endpoint, it's their internal API for accepting the request that let the user choose which email to share with the app. So it's a form validation problem.

May 31, 2020 · 12:37 PM UTC

Torsten Lodderstedt · May 31, 2020 · 12:38 PM UTC

Torsten Lodderstedt @tlodderstedt

31 May 2020

Replying to @aaronpk @leastprivilege

But it’s exposed to the client and did accept arbitrary values, right?

Aaron Parecki · May 31, 2020 · 12:39 PM UTC

Aaron Parecki @aaronpk

31 May 2020

Yea, it's just not part of the OAuth API. It's more like bad logic on the internal implementation of the AS.

more replies