Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Now Patched 'Sign in With Apple' Bug Left Users Open to Attack
- Thread starter MacRumors
- Start date
- Sort by reaction score
I don't know if you've followed Windows blogs' reports on what happens in their world. The biggest issue is it's such a legacy-supporting system. Great for businesses in some ways, but new security features take so long to creep in, and all the old stuff lying around is a liability.
Last edited:
So who’s fault is it that additional security wasn’t implemented in the app’s login process?
You're making it seem like PhDs made kindergarten level mistakes. I submit, no one (who is commenting, unless they are an apple insider) knows about what goes on behind the scenes. It may be child's play for a researcher with the proper tools, but anything but for the rest of us.
This is a software kindergarten level mistake. Apple's servers failed to match the identity inside the token with the identity in the authentication request, allowing token reuse across accounts. This is why it was found.
Simplifying, instead of checking whether the username and password combination was valid, it checked whether each one was valid individually.
Probably hard to draw a line there, and it sounds like there is no known exploitation in the wild.
Security flaws still get found in decades-old code.
I think the JWT payload helped clue the researcher in to the bug, in this case.
While I understand the “point”, there may be something else that is not kindergarten...without proof it’s all opinion.
Again, I don’t see a ton of detail in the blog post but as it’s written it does sound like a kindergarten level mistake.
I found I could request JWTs for any Email ID from Apple and when the signature of these tokens was verified using Apple’s public key, they showed as valid. This means an attacker could forge a JWT by linking any Email ID to it and gaining access to the victim’s account.
If it’s child’s play for a white hat researcher hoping to score $100k, then it‘s child’s play for an army of black hats hoping to score millions. As for the rest of us, we rely on Apple to get this right so we don’t need to invest in the education and proper tools to check the perimeter fence of every service we sign on to.
Security problems are the least of my worries. I'm looking at the macbook lineup since 2016, and I'm still waiting for something I am actually willing to buy. At this rate, when my 2015 dies, I'm not sure if I'm going to hunt around for another 2015, or switch to Windows. Yep, I know the 16" and other 2020 models are an improvement, but they aren't there yet. And the fact that you can't put Mojave on any of them is a major killer. I'd breathe a major sigh of relief if someone made a truely hackintoshable laptop, because at the moment, I just can't see Timmy Apple getting it together.
What is not kindergarten is why didn't somebody catch this in unit testing or fuzz testing, which is asking why Apple doesn't follow modern software engineering practices, which is a management/political issue.
That is, why does Apple's management suck so bad?
It’s about trust. Sign In with Apple was hacked immediately on launch using a trivial technique. Apple previously accepted blank passwords in their OS. These are complex systems, no doubt, but if Apple can’t execute on that complexity then they lose my trust.
Last edited:
Why would they need new computers if they had older phones? I have a 2015 rMBP15, and an iPhone 6, and I work as a software developer. There is NOTHING I can't do on either that I would like to do. In many ways the older machines are superior (ports, function keys, everything just works, partly upgradeable (SSD), and older versions of the software aren't full of bugs). I have zero desire to upgrade either MBP or phone when compared to the current models. If they did put out models that fixed all the problems, then I would upgrade, but I don't need to. I am a bit worried about what to do in the future when my MBP dies, as there is nothing at all on the market by any brand that is as good as what I have. The phone is easy, there are plenty of Androids w the jack, and some of them are just fine.
I was too, but Bash is now older than when Shellshock discovered and patched. I don't expect perfection over time, only better odds.
[automerge]1590881448[/automerge]
Same here, and it's in part because Apple still supports both. It's perfect, I avoided the 2016-2019 crappy MBPs and will buy a new one once USB-C has been adopted enough, which should be around the time my MBP loses support. My laptop is golden, but I can't hold onto it forever.
I'm glad Apple supports their iPhones for so long too. No idea why that's not a thing with Android. But it'll be tough for me to downgrade to a jackless phone later. I already have an 8 sitting around unused.
Last edited:
ive used this feature maybe once thus far since when I would need to login and not have an iOS iPadOS device or macOS then I’m stuck.
this is a major security loop-hole and I’m not surprised iOS lead didn’t setup major internal testing of the features security or even contracted out to have it tested by freelancers in a beta form for a few months at the very least. No, I’m not surprised since, after all the same lead also had released macOS Maverick with sudo and no pw ring set!
Typical Federighi move.
iOS and macOS continues to increase more bugs as it’s being refined every generation since 1 lead should never be in charge of both major OS. When will Cook put a stop to this?!
[automerge]1590882065[/automerge]
why is everyone staying Timmy needs to patch when he’s not programming iOS nor macOS??
Tinder already implemented it.
Instagram absolutely won’t implement it. IG is Facebook and their entire business model is tracking its users to sell ads.
With hair like that? Nah, blame must lie elsewhere...
More seriously, does this lie in his domain? I lost track of the hierarchy...
Different order of magnitude
macOS is a minority OS and we already see this level of exposed vulnerabilities
macOS, iOS iPadOS and this TVOS all fall under Craig for years now. So yup it’s his leadership or the strain of too much to manage with teams is showing holes most likely due too many compromises. Many ideas and alternative fixes brought by directors under him For home to approve etc. Features have been getting much better yet bugs have been increasing.
PS: he’s the only OSX or macOS lead whom left Apple/Next (transition timeline) by choice and then returned. That has always bothered me. Personal opinion.
Oh! Last time I checked it Tinder didn’t have it. Glad they added it!
Thanks for the update!
Wouldn’t Sign In with Apple be under services rather than OS development?
oh yeah you may be right there. I was thinking it being implemented in iOS & iPadOS.
Good catch and thanks for the correction. 👌🏿