Apple fixed a security vulnerability in iOS and macOS that could have potentially allowed an attacker to gain unauthorized access to a user’s iCloud account. The flaw resided in Apple’s implementation of TouchID (or FaceID) biometric feature that authenticated users to log in to websites on Safari. The vulnerability resides in the gsa.apple.com API, which made it theoretically possible to abuse those domains to verify a client ID without authentication. In May, Apple patched a flaw impacting its “Sign in with Apple” system that made it possible for remote attackers to bypass authentication.
Source: https://thehackernews.com/2020/08/apple-touchid-sign-in.html