Comment by lathiat

4 months ago

I think what he means is, if you have an @gmail.com account via Google, that is pretty good proof of control. But if you have any other e-mail (e.g. a custom domain) via Google, it's not.

Similar with Apple, if you were signing in with an @icloud.com, it's pretty good proof, but if you have an Apple ID with a third-party e-mail it's not proof of current control of that e-mail.

That's my guess.

5 comments

lathiat

Reply
marcellus23  4 months ago

That helps, but I still don't have a full picture. What's the threat here? Is it that: if a hacker gains temporary access to Bob's email bob@example.com, they can create an Apple account attached to it, and use that account to sign in with a service ABC, then that hacker gains access to Bob's private info in service ABC? But if the hacker already has email access, can't he just log into service ABC directly anyway?

Also, is it impossible to have a Google account with a non-gmail address? The original poster seemed to be saying that Google _is_ a directory SSO and Apple _is not_ categorically. But if you can have a Google account without a Gmail-ran email account, wouldn't Google have the same vulnerability?

  • nodamage  4 months ago

    I think the most likely threat in this case is with ex-employees. If Bob has access to bob@example.com and creates an Apple account with it, then subsequently gets fired from example.com, they might delete his email address but his Apple account will still allow him to login to services using Sign in with Apple. (Because Apple only checks ownership of the email address when the Apple account is being created.)

    Google accounts have the exact same issue so I don't understand the distinction made by the OP though.

  • wilsonnb3  4 months ago

    > Also, is it impossible to have a Google account with a non-gmail address?

    You can have your own domain if it is a workspace account

    • quacksilver  4 months ago

      You can also sign up for a google account using a non-gmail email address without creating a new gmail address, providing the domain owner hasn't created a workspace account with that domain in the past.

      This can be done with an account that you once had control over but don't anymore, like if you leave an employer.

      You can't send mail from it, but many apps will take having a google account with a given email is proof of ownership, or an @example.com email address is proof that you are an employee of Example Inc. when they are a customer of the app and have a tenant set up.

    • lathiat  4 months ago

      You can have a Google ID on any e-mail address, even without workspace. e.g. You don't need gmail to use YouTube.