蘋果推出新登錄功能,用戶可能面臨更大風(fēng)險(xiǎn)
行業(yè)團(tuán)體OpenID基金會(huì)稱,允許人們用一個(gè)蘋果賬號(hào)登錄各個(gè)網(wǎng)站和app的新登錄功能,存在重大隱私和安全漏洞,必須予以修復(fù)。 該基金會(huì)為非營(yíng)利組織,成員包括谷歌、PayPal和微軟等。它管理的OpenID Connect是一項(xiàng)行業(yè)標(biāo)準(zhǔn),作用是對(duì)同一ID在多個(gè)網(wǎng)站上授權(quán),而且無(wú)需設(shè)置不同的密碼。 OpenID基金會(huì)指出,“Sign in with Apple”功能和Open ID Connect有一些類似之處,但它并不完全符合該行業(yè)標(biāo)準(zhǔn)。該組織寫給蘋果公司工程高級(jí)副總裁克雷格·費(fèi)德里吉的信指出,該問(wèn)題有可能讓人們面臨“更大的安全和隱私風(fēng)險(xiǎn)”。 OpenID基金會(huì)的主席奈特·崎村在信中寫道:“OpenID Connect和Sign in with Apple目前的不同之處讓人們可以使用Sign in with Apple的地方變少了,而且讓他們面臨更大的安全和隱私風(fēng)險(xiǎn)。” 崎村說(shuō)蘋果尚未推出的這項(xiàng)單一ID登錄功能還給開(kāi)發(fā)者帶來(lái)了“不必要的負(fù)擔(dān)”,因?yàn)樗麄儽仨毷褂肙penID Connect標(biāo)準(zhǔn)并對(duì)蘋果此項(xiàng)功能的不同之處進(jìn)行處理。 OpenID基金會(huì)要求蘋果加入該組織并遵循OpenID Connect標(biāo)準(zhǔn)。一份追蹤該標(biāo)準(zhǔn)和蘋果產(chǎn)品差別的文件已經(jīng)詳細(xì)列出了“彌合差異”所需要調(diào)整的代碼。 網(wǎng)絡(luò)安全公司Mimecast的威脅情報(bào)部門主管弗朗西斯·加夫尼表示,OpenID使得人們加大了對(duì)潛在安全風(fēng)險(xiǎn)的顧慮。 加夫尼認(rèn)為:“考慮到威脅行動(dòng)體越發(fā)仔細(xì)地搜尋潛在漏洞,他們發(fā)現(xiàn)并利用某個(gè)‘差異’可能只是時(shí)間問(wèn)題。” 蘋果沒(méi)有立即對(duì)詢問(wèn)做出回應(yīng)。該公司一直宣稱,Sign in with Apple可以幫助重視隱私的人登錄他們喜歡的網(wǎng)站。蘋果表示它不會(huì)和app開(kāi)發(fā)者共享不必要的數(shù)據(jù)。 Sign in with Apple尚未發(fā)布,但iPhone用戶應(yīng)該會(huì)在自己喜歡的app中看到這個(gè)選項(xiàng),原因是蘋果已經(jīng)要求提供其他單一ID登錄方案(比如通過(guò)Facebook或谷歌賬號(hào)登錄)的開(kāi)發(fā)者同樣向用戶推薦Sign in with Apple。(財(cái)富中文網(wǎng)) 譯者:Charlie 審校:夏林 |
Apple’s new sign in feature, which allows people to use an Apple ID to sign into websites and apps, has critical privacy and security gaps that must be fixed, according to an industry group. The OpenID Foundation, a nonprofit with members including Google, PayPal, and Microsoft, runs OpenID Connect, an industry standard for authenticating a person’s identity across multiple websites, without requiring them to use different passwords. Sign in with Apple has some similarities with Open ID Connect, according to the group, but it’s not entirely in line with the industry standard. That’s a problem that could expose people to “greater security and privacy risks,” according to a letter the OpenID Foundation sent to Craig Federighi, Apple’s senior vice president of engineering. “The current set of differences between OpenID Connect and Sign in with Apple reduces the places where users can use Sign in with Apple, and exposes them to greater security and privacy risks,” Nat Sakimura, chairman of the OpenID Foundation, wrote in the letter. Sakimura says the single sign-in feature, which has yet to be rolled out, also puts an “unnecessary burden” on developers, who must work with the OpenID Connect standard and navigate the differences in Apple’s sign in feature. The OpenID Foundation asks that Apple join the group, and to become compliant with the industry protocol. A document tracking differences between those protocols and Apple’s product details a list of necessary coding changes to “address the gaps.” Francis Gaffney, director of threat intelligence at cybersecurity company Mimecast, says OpenID raises valid concerns about potential security risks. “Given the increased scrutiny by threat actors on potential vulnerabilities, it would only be a matter of time before one of these ‘differences’ is discovered and exploited,” Gaffney says. Apple did not immediately respond to a request for comment. The company is touting Sign in with Apple as a way for privacy-minded people to log into their favorite websites. Apple says it won’t share unnecessary data with app developers. Sign in with Apple hasn’t been publicly released, however anyone with an iPhone should expect to see it as an option in their favorite apps, since Apple requires developers who offer other single sign on options, such as through a Facebook or Google account, to also promote Apple’s sign-in as an option. |
-
熱讀文章
-
熱門視頻