This isn’t a zero day. It’s known by Apple, and presumably already addressed. It doesn’t really say so, except it refers to the exploit in the past tense.
Apple also did an investigation of their logs and determined there was no misuse or account compromise due to this vulnerability.
It was a zero-day when he took it to Apple, otherwise they would be suing him for $100,000,000 for publishing this article instead of having rewarded him with $100,000.
No, not really. A “zero day” is an vulnerability that has not yet been patched by the vendor. There’s no vendor here. It’s not like Apple was waiting on Nginx to release a patch; Apple is both the author of the software and the affected party. When they were notified, they patched; as soon as the patch was put in place, all “users” of the software were instantly patched—because there was only one, which was Apple.
The premise of a zero day is that you can find a vulnerability in a product and then exploit it in all the places it is used. That’s what makes them interesting.
All the places that use Sign In With Apple. Just because only one centralized server deployment was vulnerable doesn’t mean it wasn’t exploitable all over the web
This is a really stupid thing to argue over, and you’re wrong anyway
The vulnerability is known outside of the vendor before the patch is released.
The vulnerability is actively exploited before the patch is released.
This definitely meets the first definition. The second is less useful: you can sometimes show that something is a zero-day according to this definition but you can rarely show that something isn’t.
I assume that refers to the steps apple took after they verified this bug was valid, however I agree - there is no indication per this article that this is a zero day
It’s worth reading Aaron Parecki’s detailed writeup about this as there’s a bit more info about what actually went wrong
That was a good read. The only issue was lack of server-side validation.
An amazingly big issue for such an important feature.
This isn’t a zero day. It’s known by Apple, and presumably already addressed. It doesn’t really say so, except it refers to the exploit in the past tense.
It was a zero-day when he took it to Apple, otherwise they would be suing him for $100,000,000 for publishing this article instead of having rewarded him with $100,000.
No, not really. A “zero day” is an vulnerability that has not yet been patched by the vendor. There’s no vendor here. It’s not like Apple was waiting on Nginx to release a patch; Apple is both the author of the software and the affected party. When they were notified, they patched; as soon as the patch was put in place, all “users” of the software were instantly patched—because there was only one, which was Apple.
The premise of a zero day is that you can find a vulnerability in a product and then exploit it in all the places it is used. That’s what makes them interesting.
All the places that use Sign In With Apple. Just because only one centralized server deployment was vulnerable doesn’t mean it wasn’t exploitable all over the web
This is a really stupid thing to argue over, and you’re wrong anyway
There are two definitions of 0-day:
This definitely meets the first definition. The second is less useful: you can sometimes show that something is a zero-day according to this definition but you can rarely show that something isn’t.
I assume that refers to the steps apple took after they verified this bug was valid, however I agree - there is no indication per this article that this is a zero day
One comment so far in the existing thread https://lobste.rs/s/hamdjk/zero_day_sign_with_apple#c_q9wgvb