undefined | Better HN

0 pointsthephyber5y ago0 comments

The important part is in the author’s article. The POST to the opened endpoint generates a valid JWT token for the email address in the payload, not for the one in the logged-in session. Everything else is extraneous.

0 comments

fouc5y ago

Oh man, that is classic sloppy web development.

It's often so easy to reach for the values in the params/payload first because you're already working with them, instead of remembering to use the session values instead.

This would be a great audit to do for entire codebases.. Just check all places that are using params/payload values and see if there's actually already a session value that should be used instead.

rags2riches5y ago

Don't just audit. Strengthen the critical APIs with types. A user provided string is not the same type as an authentic identity. Make the developer be explicit about the critical mistake about to be made. Perl had this down decades ago with the tainted checks.

amenod5y ago

This, thousand times. Don't just fix the bug, fix the process that led to the bug. Developers are (usually) not malicious, but we are often working with tooling which makes mistakes easy to do, difficult to detect and grave in consequences. Fix the tooling, not just the bug.

mehrdadn5y ago

I wonder if encoding the query params with some dumb encoding (maybe a custom variant of base64?) and forcing decoding at every usage site would make it inconvenient enough to cause programmers to use the session values instead?

dtech5y ago

That also explains why Apple could exclude abuse happening in the logs, which some commenters have refuted.

If they have all the JWTs, seeing if one had a different e-mail than the logged-in user should be fairly doable.

SV_BubbleTime5y ago

Oh. Ok, so you did have to have an existing logged in session for any account, then could leverage that to get the token for another account by changing out the email?

mazeltovvv5y ago

Ah. So this creates a valid JWT for any email you want, but it is now associated with your own apple account?

SV_BubbleTime5y ago

> but it is now associated with your own apple account?

On the backend, maybe they can look up who requested a token at a time.

But otherwise, no it doesn’t seem to be

1 more reply

thephyberOP5y ago

I don't have any way to confirm, but yes, this is what I interpreted from the article.

j / k navigate · click thread line to collapse

0 comments

fouc5y ago

Oh man, that is classic sloppy web development.

It's often so easy to reach for the values in the params/payload first because you're already working with them, instead of remembering to use the session values instead.

This would be a great audit to do for entire codebases.. Just check all places that are using params/payload values and see if there's actually already a session value that should be used instead.

rags2riches5y ago

amenod5y ago

mehrdadn5y ago

dtech5y ago

That also explains why Apple could exclude abuse happening in the logs, which some commenters have refuted.

If they have all the JWTs, seeing if one had a different e-mail than the logged-in user should be fairly doable.

SV_BubbleTime5y ago

Oh. Ok, so you did have to have an existing logged in session for any account, then could leverage that to get the token for another account by changing out the email?

mazeltovvv5y ago

Ah. So this creates a valid JWT for any email you want, but it is now associated with your own apple account?

SV_BubbleTime5y ago

> but it is now associated with your own apple account?

On the backend, maybe they can look up who requested a token at a time.

But otherwise, no it doesn’t seem to be

1 more reply

thephyberOP5y ago

I don't have any way to confirm, but yes, this is what I interpreted from the article.

j / k navigate · click thread line to collapse