search

dedoussis / icloud-hide-my-email-browser-extension

Enjoy iCloud's Hide My Email service in your favourite browser
https://chrome.google.com/webstore/detail/icloud-hide-my-email/omiaekblhgfopjkjnenhahfgcgnbohlk
MIT License
319 stars 15 forks source link

Client Id #18

Closed superlevure closed 1 year ago

superlevure commented 1 year ago

Hi!

Your extension is using the following Client Id to connect to Icloud: d39ba9916b7251055b22c7f910e2ea796ee65e98b2ddecea8f5dde8d9d1a815d

Is that ID tied to a personal account ?

dedoussis commented 1 year ago

Hey @superlevure!

This ID is not tied to a personal account nor a device. It is an OAuth2 public client ID that Apple has assigned to their own https://icloud.com/ web app.

These headers are used upon the iCloud authentication flow. Apple's authentication server keeps track of a set of registered client IDs (along with their redirect URIs) that are allowed to perform authentication. I assume that some other client ID is used when an iOS process attempts to authenticate against iCloud.

By using these client headers (along with Origin and Referrer), the extension pretends to be the https://icloud.com/ client of Apple.

dedoussis commented 1 year ago

It should be possible to fetch this ID programmatically rather than hardcoding it into the source. This will prevent the extension from breaking in the unlikely scenario of Apple rotating the registered client ID of https://icloud.com

superlevure commented 1 year ago

Thanks for the explanation! I've looked at network exchanges when login to https://icloud.com and indeed that token is used by Apple.

Thank you for the very useful extension