Not that the OSes haven’t had their problems... I wonder if security auditing is a centralized function, or federated among the various teams.
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Now Patched 'Sign in With Apple' Bug Left Users Open to Attack
- Thread starter MacRumors
- Start date
- Sort by reaction score
Apple isn’t the first and won’t be the last vendor to have these types of vulnerabilities. Do the others lose your trust also?
[automerge]1590897147[/automerge]
All one has to do is look at the cve database and ask the same questions.
Yes. When a company you trust leaves a door wide open to your accounts, you don’t re-examine your relationship with them?
If I did that there wouldn’t be any manufactures left that where would I be able to buy their consumer electronics products.
I think you're looking at the world a little black and white here... I've lost trust in Apple, I haven't lost all trust in Apple.
Apple had begun to develop a well deserved reputation of being private and secure relative to alternatives. Bugs happen, but they seemed to happen less frequently to Apple and when they were reported they seemed to have an air of desperation to them.
Recently though, there has been a run of security failures that don't seem overblown and for which the responsibility seems to rest firmly on Apple's shoulders.
After a friend gets a few DUIs, you think twice about giving them the keys to your car. I'd begun to trust Apple implicitly with my data, but now I'm much less confident in doing so. Annoyingly, I now have to think just as hard about whether to give my keys to Apple as I would just about any other company-- and sadly for Apple that gives them less of a leg up on the competition.
We strike a bargain when we choose the Apple ecosystem: we pay a bit more, cede a significant amount of our decision making to the company, and live within their increasingly walled garden and in exchange we expect products that are private, secure and work reliably. I'm not saying that deal isn't still worth making, but blunders like this make the benefits less clear.
If you don't think this is a significantly black mark on Apple's reputation then I'm not sure why you'd be unwilling to buy products from any other company.
[automerge]1590913553[/automerge]
Researcher Bhavuk Jain in April discovered a critical Sign in With Apple vulnerability that could have resulted in a takeover of some user accounts. The bug was specific to third party apps that used Sign in With Apple and didn't implement additional security measures.
Jain notes that Sign in With Apple works by authenticating a user through a JWT (JSON Web Token) or a code that's generated by Apple's server. Apple then gives users the option to share either the email tied to their Apple ID or a private relay email address,which creates a JWT that's used to log in a user.
Jain then discovered that once JWTs for both Apple ID emails and private relay email addresses were requested and the token's signature was verified using Apple's public key, it "showed as valid." Should the bug have not been discovered, a JWT could be created and used to gain access to one's account.
In an interview with The Hacker News, Jain spoke about the severity of the bug:
According to Jain, Apple conducted an investigation and concluded that no accounts were compromised using this method before the vulnerability was patched. Jain was paid $100,000 by Apple under its Apple Security Bounty Program for reporting the bug.
Article Link: Now Patched 'Sign in With Apple' Bug Left Users Open to Attack
[automerge]1590913701[/automerge]
Researcher Bhavuk Jain in April discovered a critical Sign in With Apple vulnerability that could have resulted in a takeover of some user accounts. The bug was specific to third party apps that used Sign in With Apple and didn't implement additional security measures.
Jain notes that Sign in With Apple works by authenticating a user through a JWT (JSON Web Token) or a code that's generated by Apple's server. Apple then gives users the option to share either the email tied to their Apple ID or a private relay email address,which creates a JWT that's used to log in a user.
Jain then discovered that once JWTs for both Apple ID emails and private relay email addresses were requested and the token's signature was verified using Apple's public key, it "showed as valid." Should the bug have not been discovered, a JWT could be created and used to gain access to one's account.
In an interview with The Hacker News, Jain spoke about the severity of the bug:
According to Jain, Apple conducted an investigation and concluded that no accounts were compromised using this method before the vulnerability was patched. Jain was paid $100,000 by Apple under its Apple Security Bounty Program for reporting the bug.
Article Link: Now Patched 'Sign in With Apple' Bug Left Users Open to Attack
I'm pretty sure if Steve Jobs were in charge Craig Federighi would be gone by now. Too much of this happening on his watch.
Sign in with google/facebook/apple/whatever is convenient, but possible issues like this is exactly why I don't use it. Separate accounts with unique passwords (of course with the help of a password manager) in combination with 2-factor authentication when needed is IMO the most secure (and just as easy) option.
It is pretty much a black and white issue as the way you were making it out to be.
While Apple should do better, they are not alone in the world of security vulnerabilities. To an extent, I trust Microsoft, google, Apple, the banks, etc to keep my data safe (not facebook though). I applaud Apple for their commitment to customer privacy, but that doesn't mean their code won't have bugs. The reason those of us who choose to purchase Apple products may feel they cost a bit more than the competition, Apple is a premium manufacturer that provides top shelf support born out by satisfaction surveys and long range software support. (updates to the 5s, for example) And while it is true, that certain functions in the phone are locked down, vs the competition, the ability for these devices to have a unique connections is the draw of apple (imo). I expect these devices to work securely and reliability. The question is what is the line in the sand. 100% is not attainable and 0% is unacceptable. Each will have our own line in the sand.
These software bugs, for me, are not going cause me to throw my macbooks out and iphones in the garbage, because I like the usage of these devices and the competition really isn't better in this regard, and I like using Apple products. So I hope that Apple, and all, manufacturers use this as a learning tool to do a better with with software development in the future.
[automerge]1590932070[/automerge]
I have never used sign-in with. I'm still a believer in separate user ids and passwords. However, I many rethink this and start to use "sign-in with Apple" in the future.
Last edited:
I think the moral of the story is ALSO that trusting Apple (or anyone else for that matter) with your security is a bad idea if there is a centralized component.
This illustrates why Apple holding the keys to decrypt iCloud etc is a bad idea - one security issue and parts of everyone's iCloud information will be open.
It's only just as easy if you store your passwords in the cloud, then the question is how secure the password manager is. If you keep a local password file, that's annoying, and you need to keep backups in case you lose it.
The thing is, most accounts aren't super important, so I don't really care. And I memorize a separate highly secure password and use 2FA for the few things that matter.
[automerge]1590951932[/automerge]
The sheer stupidity of this vulnerability shakes my trust in Apple's security, and this is the first time. The entire auth system was broken from the looks of it, no tricky hacks required. It's as if they left some "test mode" flag enabled by accident.
Last edited:
Oh, they are, it’s just easier to go with the bugs you know and have proven workarounds for than a whole new set of bugs
If you had a Mac from 2009 and an iPhone from 2009, you would probably need to upgrade at least one of them to do things you want to do today.
Yeah, half true. But you can't tell me that Catalina isn't a special lemon. There are some versions that are much worse than others, and some that are pretty good, and Catalina fits squarely in the first bucket. Over time, some of the bugs get fixed, but for Catalina, it's as if Timmy just doesn't care anymore.Oh, they are, it’s just easier to go with the bugs you know and have proven workarounds for than a whole new set of bugs
I think you injected a tone into my words that I didn't intend. I never saw anything as black and white, and still don't. I keep score. At various points I need to make decisions and, when I do, I look at the score.
You seem to see this as an all or nothing game. At some point a straw will break the camels back and you'll throw all your Apple stuff in the garbage, but until that point it sounds like it's Apple all the way. That's not how I work.
You don't need to give me a sales pitch. This thread isn't about all the pros and cons of Apple, it's about a pretty significant security blunder. This isn't just a software bug. This isn't one of those holes that required multiple steps through obscure protocol layers to exploit. And this isn't the first time. They basically just left the door keys under the mat.
I was looking forward to the release of Sign in with Apple because I liked the promise of a protective layer between my email address and whatever service I was signing into and I trusted Apple to manage it correctly. This just blew that out of the water.
After the last iOS email bug that Apple left unpatched for so long and that let attackers just waltz through all of your email, my company sent out a message reminding everyone that we are only supposed to be checking our corporate email through the GMail web client. You and I might think that's over reacting and pushing towards a worse outcome, but because Apple let themselves be seen as insecure, the decision is being made for us.
We're past the point of learning trivial lessons about online security. There's no room for naiveté in online services anymore. If Apple hasn't learned to take security seriously by this point, that's a far more damning argument-- that means it's not a bug, not a failure of process, but an issue of indifference. If that's the argument that's put forward on this one, then all hope is lost.
You can argue whatever you want about other companies, but that's not the point here. When you start comparing something to the average then you're only aspiring to be marginally better than average. Compared to themselves, Apple's high standard for security and privacy is slipping. I used to be able to not waste a lot of time worrying about whether Apple was keeping the hatches battened down, but now I do. That annoys me-- I have better things to spend my time worrying about.
The short of this is: I vote with my dollars and my dollars go to Apple. Yeah, this is a bad bug, but the industry isn’t at 100% secure and Apple less than 100%. You do what you want. With 100s of millions of customers there is little to believe two customers will have the same opinions.
And all the other stuff is irrelevant. Apple patched the security vulnerability. If you thought it was black or white, sales pitch, kindergarten, etc, you are entitled to your opinion. If I were to throw the baby out with the bath water, Unbuntu would be my main operating system.
As I said, industry norms and trends are important. It’s not that the industry is at 100% and Apple less than 100%. So, yeah, it’s my opinion that the performance of other companies with regard to this issue is important.
Apple’s stance on privacy is not slipping, in fact it’s getting tighter and more well defined. I can’t even say their code quality is slipping because there is no comparison as this type of thing has been around for many years at Apple...and other software vendors.
I can’t waste my time worrying if the vendors I use on a day to day basis are doing the right thing. All of these vendors have had breaches. And I’m not throwing the baby out with the bath water.
This was my only point all along. This wasn't a "will you buy Apple products" poll, it was an article about a bad bug. We need less of them. Apple needs to redouble their security efforts.