Foundation released OpenID The nonprofit this week addressed a letter to "Craig Fedray," Senior Vice President in the Software Engineering Department at Apple, arguing that the new login system, which the company unveiled a while ago, is known as Sign in with Apple It bears a lot of similarity with its OpenID Connect protocol, but Apple's system contains gaps and loopholes that may expose users to serious threats as it is not sufficient to be used to protect privacy and data.
The Foundation commended Apple's efforts to allow users to log into third-party smartphone and web applications using their Apple ID, and began its letter by explaining its own Connect protocol, which it described as a modern widely adopted identity protocol as it is based on the OAuth 2.0 protocol that enables third parties. From login to applications it has been developed by a large number of companies and industry experts within the organization.
Vulnerabilities in the new Apple feature
While it seems that Apple has largely adopted this protocol through the new system for logging in with the Apple ID Sign in with Apple, there are a set of differences between the Apple system and OpenID that have caused a reduction in the places "sites and services" in which the Apple system can be used. It also exposes users to threats regarding privacy and security, as well as that the Apple system lacks a key or "PKCE" authorization code, which may leave users in front of replay attacks or through code injection, as mentioned by the OpenID message.
Besides all this, the Foundation sees that Apple's new system It places an unnecessary burden on developers who work with both Connect and Sign in with Apple, especially since the latter code (Apple) is not compatible with the certification program for the OpenID Connect protocol.
At the end of the speech, the OpenID Foundation asked Apple to address the gaps in its system and to use the self-package to verify the validity of SCT applications, and the organization asked Apple to join it with many other companies, the most famous of which are Google, Facebook, Microsoft, Paypal, Yahoo and other organizations and the other company.
It is reported that the new login system from Apple Sign in with Apple will be launched later this summer, in conjunction with the launch of iOS 13, and Apple aims with this technology to focus on more privacy instead of allowing its users to log in to it through accounts of other sites such as Google, Twitter and Facebook. .
Do you think Apple should join forces with its competitors on sign-in services? Will the mentioned vulnerabilities hinder the launch of Sign in with Apple soon?
Source:
9 comment