Apple recently paid Indian vulnerability researcher Bhavuk Jain a huge $100,000 bug bounty for reporting a highly critical vulnerability affecting its ‘Sign in with Apple’ feature. The vulnerability resided in the way Apple was validating a user on the client-side before initiating a request from Apple’s authentication servers. The missing validation in that part of the mechanism could have allowed an attacker to provide a separate Apple ID belonging to a victim, tricking Apple servers into generating JWT payload that was valid to sign in into a 3rd-party service.
Source: https://thehackernews.com/2020/05/sign-in-with-apple-hacking.html