Hacker News new | past | comments | ask | show | jobs | submit login

I really do respect Apple's attention to security and privacy, however I was a little disappointed when I came across an Apple ID leak from their login form [0] last week. They patched a fix a couple days after I reported it, but still haven't responded to my initial report. It's quite concerning given how easy this simple flaw could have been used for malicious purposes to potentially collect millions of Apple ID's.

[0] https://github.com/zaytoun/Apple-ID-Data-Leak

That looks like extremely irresponsible disclosure? Publishing to GitHub and then "edit: I contacted apple"


There's nothing wrong with disclosing a security bug immediately.


Wow, he's nothing if not consistent... you gotta respect that. Same opinion and phrasing going back 4+ years!

Literally every company is going to have some non-zero number of security leaks. I don't think it's reasonable to be disappointed in an entire company because of a bug written by (likely) one engineer. God knows I've written my share, but none of my software is on routes easily accessible to the public. Unless it's part of a larger pattern, this reaction is going to lead to you being disappointed with 100% of producers of software, past, present, and future, which doesn't seem like a useful state.

Incidentally, in the list of IDs you published, are those real? If they are: that's BS that you are publishing real people's IDs, and I'm also surprised by the number of numeric qq.com accounts.

Iirc, QQ uses a number as the "username," sort of like a phone number.

A list of Apple ID's isn't exactly a big deal. I've got mine listed in my HN profile.

And what exactly would you do with those Apple IDs? Just knowing the email address doesn't really get you very far.

You could spam them.

Anyways, it's a privacy violation. Apple shouldn't be handing out your email without your permission. Facebook has a setting allowing you to choose whether you want your email to be public or not.

Sure, you could spam them, but that's not a special property of Apple IDs. Apple certainly shouldn't be leaking emails, but describing this as "leaking Apple IDs" instead of "leaking emails" makes it sound like it's more serious than it is.

Registration is open for Startup School 2019. Classes start July 22nd.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact