The vulnerability was reported to the Cupertino-based tech giant in April, and was found to impact third-party applications that were using Sign in with Apple without additional security measures.
An attacker exploiting the vulnerability could have taken over user accounts on the affected third-party applications, regardless of whether the victim was using a valid Apple ID or not, security researcher Bhavuk Jain explains.
Sign in with Apple, the researcher explains, can authenticate a user either by using a JWT (JSON Web Token) or a code generated by the Apple server (which is then used to create a JWT).