Hacker News new | ask | show | jobs
by moi2388 414 days ago
> We were fortunate because ASO.dev also supports an alternative sign-in method (email with a one-time login code).

How does that work if according to you the apple private relay emails bounce?

> One-third of our users, who registered via Apple’s private relay email, are now completely unreachable: • We can’t contact them (emails bounce). • We can’t restore their access (new IDs don’t match old accounts).

You could temporarily let these emails let a one time sign in link get sent to another email account, so they can update their settings, no?

Overall, pretty serious incident. Please post updates regarding apples response.
2 comments
gorniv 413 days ago
It doesn’t work for Apple private relay users, but it does work for those who signed in with Apple without using “Hide My Email.”

The good news is that Apple’s private relay addresses are unique per user, so if someone contacts us, we can match and update their account to a regular email. We’ve added a banner to our site to help guide affected users through this.

One-time sign-in via email still works for everyone else, and we’re looking into ways to let users securely update their email via support if they can no longer log in.

We’re waiting on a response from Apple and will post updates as we get them. Thank you!

link
dpoloncsak 414 days ago
I think they're saying Users with alternative sign in methods are unaffected, but users without another sign in method are locked out.

Otherwise, how do you verify the user is requesting the one-time sign in and not a threat actor trying to associate the account to their own email?

link
gorniv 413 days ago
Knowing the Apple private relay email is almost like knowing a password — not a perfect method, but it’s currently the best option we have for verifying identity when the original email is no longer reachable and Apple provides no fallback.

That said, any sensitive data in our service is either encrypted with a user-provided phrase or never sent to our servers at all. We’ve put a lot of effort into security, but we honestly didn’t expect this kind of curveball from Apple — where the login email they issued suddenly becomes invalid and breaks access.

We’re waiting for a response from Apple and exploring safe fallback options in the meantime.

link