Hacker News new | ask | show | jobs
by marcellus23 614 days ago
That helps, but I still don't have a full picture. What's the threat here? Is it that: if a hacker gains temporary access to Bob's email bob@example.com, they can create an Apple account attached to it, and use that account to sign in with a service ABC, then that hacker gains access to Bob's private info in service ABC? But if the hacker already has email access, can't he just log into service ABC directly anyway?

Also, is it impossible to have a Google account with a non-gmail address? The original poster seemed to be saying that Google _is_ a directory SSO and Apple _is not_ categorically. But if you can have a Google account without a Gmail-ran email account, wouldn't Google have the same vulnerability?
2 comments
nodamage 613 days ago
I think the most likely threat in this case is with ex-employees. If Bob has access to bob@example.com and creates an Apple account with it, then subsequently gets fired from example.com, they might delete his email address but his Apple account will still allow him to login to services using Sign in with Apple. (Because Apple only checks ownership of the email address when the Apple account is being created.)

Google accounts have the exact same issue so I don't understand the distinction made by the OP though.

link
wilsonnb3 614 days ago
> Also, is it impossible to have a Google account with a non-gmail address?

You can have your own domain if it is a workspace account

link
quacksilver 614 days ago
You can also sign up for a google account using a non-gmail email address without creating a new gmail address, providing the domain owner hasn't created a workspace account with that domain in the past.

This can be done with an account that you once had control over but don't anymore, like if you leave an employer.

You can't send mail from it, but many apps will take having a google account with a given email is proof of ownership, or an @example.com email address is proof that you are an employee of Example Inc. when they are a customer of the app and have a tenant set up.

link
lathiat 613 days ago
You can have a Google ID on any e-mail address, even without workspace. e.g. You don't need gmail to use YouTube.
link