This allowed you to forge an attestation of user identity from Apple for any App that was setup to consume it. Apple is acting as an IdP for its consumer ecosystem. It's definitely their problem.

Third-party applications really have no recourse but to trust the signed JWT. That is just how OAuth2/OIDC works.

User impersonation against an IdP is a serious security issue. 100k is cheap.

The bug was basically on the IdP's "consent screen". Instead of using the email from the active logged in account, it allowed the attack to POST in any email they wanted.

Obviously not having the bug would be great. Apple could do "more", and layer on more things on top of OAuth, like a proof of key extension (DPoP) on the flow: https://tools.ietf.org/html/draft-fett-oauth-dpop-04

But if you have a bug like this, where you can edit your claims arbitrarily inside the IdP, extra security layers kinda don't matter.

Is everyone in this thread only going to read the first two paragraphs of the article and skip the rest of it?

> I found I could request JWTs for any Email ID from Apple and when the signature of these tokens was verified using Apple’s public key, they showed as valid. This means an attacker could forge a JWT by linking any Email ID to it and gaining access to the victim’s account.

That there were ways of mitigating it (I'd assume verifying email addresses out of band?) doesn't mean it's not Apple's problem when their authentication system can be tricked to confirm false identities, when its entire purpose is confirming identities.

Apple is an email authority in this case, and as third party you have to rely on their security. Same as with ssl certificate authority.