2 comments

[ 3.1 ms ] story [ 11.4 ms ] thread
> But remember that I mentioned different APIs talked with CloudKit differently?

As this sentence is the cause of most the bugs in the post I begin to question how they implemented their gateway so that a different endpoint results in a totally different authorization scope. That just screams „auth bug“.

Wow, I remember this happening! That is truly funny to me that it was because of a security researcher accidentally triggering this massive bug.

Great write up, and kudos to apple for not suing him but paying out the bug bounties.