Aaron Parecki · Jun 1, 2020 · 8:04 PM UTC

Aaron Parecki · Jun 1, 2020 · 8:04 PM UTC

Aaron Parecki

Aaron Parecki @aaronpk

1 Jun 2020

I wrote an in-depth explanation of the "Sign In with Apple" Zero-Day that was revealed by a security researcher this weekend. The problem had nothing to do with OAuth or JWT, and you might be surprised at how simple the bug actually was. aaronparecki.com/2020/05/31/…

The Real Cause of the Sign In with Apple Zero-Day

The zero-day bug in Sign In with Apple actually had nothing to do with the OAuth or OpenID Connect part of the Sign In with Apple exchange, and very little to do even with JWTs. Let's take a closer...

aaronparecki.com

Jun 1, 2020 · 8:04 PM UTC

Not Fake Adam Kalsey · Jun 1, 2020 · 9:21 PM UTC

Not Fake Adam Kalsey @akalsey

1 Jun 2020

Replying to @aaronpk

One of my old security teachers had a saying: treat everything you get from the client as toxic. Assume it’s false, malicious, and unsanitary until you can prove that it is not.

Aaron Parecki · Jun 1, 2020 · 9:30 PM UTC

Aaron Parecki @aaronpk

1 Jun 2020

seriously! It's like one of the first things you learn when developing web apps. It's an embarrassing oversight frankly.