Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Is everyone in this thread only going to read the first two paragraphs of the article and skip the rest of it?

> I found I could request JWTs for any Email ID from Apple and when the signature of these tokens was verified using Apple’s public key, they showed as valid. This means an attacker could forge a JWT by linking any Email ID to it and gaining access to the victim’s account.



To be honest, I think the author is misrepresenting this, just as they falsely said that this was a "zero-day".




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: