The bug is not in the protocol. The bug is about the extra value addition that apple was doing by letting the user choose any other email address.
1. The account take over happens on the third party sites that use the apple login.
2. This seems like a product request to add value to user by providing a relay email address of a user's choice.
From the report- `I found I could request JWTs for any Email ID from Apple and when the signature of these tokens was verified using Apple’s public key, they showed as valid.`
It's not a bug with protocol or security algorithm. A lock by itself does not provides any security if its not put in the right place.
Thats the question I am struggling with, what does it takes to set up infrastructure for masks on scale, maybe somewhat lower quality for the population. Compared to the cost of shutting down lives of people which would have a very long term impact.
Some things about internet archives which isnt as obvious unless one has been there in person
- Housed in a church its not what a typical software development shop might look like, its mix of open office and workshop floor.
- A big workforce actually does a lot of manual work of scanning books and transferring from different media types
- Its a interesting experience to tour the data center which is in the office itself. I cannot remember but there was something special about those machines to control the heating
It's not a bug with protocol or security algorithm. A lock by itself does not provides any security if its not put in the right place.