Zero-day in Sign in with Apple bhavukjain.com/blog/2020/05/…
6
8
2
28
if I understand correctly, the token request accepted an alternative email claim value and used it to override the value on Apple’s IDP. Really?
2
1
1
If I'm reading it right it's not the token endpoint, it's their internal API for accepting the request that let the user choose which email to share with the app. So it's a form validation problem.
1
But it’s exposed to the client and did accept arbitrary values, right?
2
It's the handler that responds to the "Continue" form post on this screen. Instead of a Boolean, the client sent back the actual email address and the server accepted arbitrary values.
1
Replying to @aaronpk @tlodderstedt @leastprivilege
Now that I'm writing this out, I realize that the client also sends back the "name" here, intentionally, since the name is user-editable. So I can see how this happened. It's just extremely poor coding practice to essentially also allow the email to be editable here.

May 31, 2020 · 12:45 PM UTC
2