The thing that made this bug possible was because, while your Apple ID has to be... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		ath0 on May 30, 2020 \| parent \| context \| favorite \| on: Zero-day in Sign in with Apple The thing that made this bug possible was because, while your Apple ID has to be an email address, Apple has a mechanism to avoid exposing it to third parties - unlike Google, Apple, or Facebook's single sign-on implementation; the bug seems to be in the step between verifying your identity and telling Apple whether you would or would not like your email address to be exposed. If anything, the issue is that third parties treat the email address as a unique, unchangeable identity, and then agree to rely on Apple's assertion of what your email address is. But given how hard identity is - and the challenges in dealing with passwords, account recovery, and name changes at scale - it's a pretty reasonable tradeoff to make.

PunksATawnyFill on May 31, 2020 | [–]

The point wasn’t that the address is exposed by Apple; it’s that E-mail addresses are widely exposed by USERS, out of necessity.

0x0 on May 30, 2020 | [–]

Sign in with facebook also lets the user choose whether or not to share their email address.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact