Dominick Baier · May 31, 2020 · 8:19 AM UTC

Dominick Baier

Dominick Baier @leastprivilege

31 May 2020

Zero-day in Sign in with Apple bhavukjain.com/blog/2020/05/…

Torsten Lodderstedt · May 31, 2020 · 11:29 AM UTC

Torsten Lodderstedt @tlodderstedt

31 May 2020

if I understand correctly, the token request accepted an alternative email claim value and used it to override the value on Apple’s IDP. Really?

Aaron Parecki · May 31, 2020 · 12:37 PM UTC

Aaron Parecki @aaronpk

31 May 2020

If I'm reading it right it's not the token endpoint, it's their internal API for accepting the request that let the user choose which email to share with the app. So it's a form validation problem.

Torsten Lodderstedt · May 31, 2020 · 12:38 PM UTC

Torsten Lodderstedt @tlodderstedt

31 May 2020

But it’s exposed to the client and did accept arbitrary values, right?

Aaron Parecki · May 31, 2020 · 12:39 PM UTC

Aaron Parecki · May 31, 2020 · 12:39 PM UTC

Aaron Parecki @aaronpk

31 May 2020

Replying to @tlodderstedt @leastprivilege

Yea, it's just not part of the OAuth API. It's more like bad logic on the internal implementation of the AS.

May 31, 2020 · 12:39 PM UTC

Barbara Schachner 🇺🇦🌻 · May 31, 2020 · 12:56 PM UTC

Barbara Schachner 🇺🇦🌻 @barschachner

31 May 2020

Replying to @aaronpk @tlodderstedt @leastprivilege

Seen similar issues with SAML in the past. SP correctly verified the assertion, then redirected the user to the real app path with his email address as (exchangeable) parameter. On IdP/AS side it’s of course even more severe...

Torsten Lodderstedt · May 31, 2020 · 12:41 PM UTC

Torsten Lodderstedt @tlodderstedt

31 May 2020

Replying to @aaronpk @leastprivilege

I see. Thanks for the clarification.