The Real Cause of the Sign In with Apple Zero-Day

Aaron walks through the issues that caused the Sign in with Apple zero day, including common flows from other OAuth / OpenID apps and authenticators.

The simplistic reporting seemed to indicate that Apple was signing any JWT sent to them, but it wasn’t an issue with JWT directly:

The zero-day bug that was recently discovered actually had nothing to do with the OAuth or OpenID Connect part of the Sign In with Apple exchange, and very little to do even with JWTs. Let’s take a closer look to see what actually happened.

In fact, lack of validating form inputs was the big issue, and that Apple “sort of” used OpenID rather than following the standard directly.