The ease and convenience of Sign in with Apple may have all came crashing down with a recently discovered bug. Researcher Bhabuk Jain in an interview in April revealed a bug that could have potentially exposed the data of users. As MacRumors excellently explains:
Jain then discovered that once JWTs for both Apple ID emails and private relay email addresses were requested and the token’s signature was verified using Apple’s public key, it “showed as valid.” Should the bug have not been discovered, a JWT could be created and used to gain access to one’s account.
Jani reported the bug to Apple where he was awarded $100,000, Apple also said no accounts were comprised and that it was patched.