original link: https://www.v2ex.com/t/959041 I can't make original link to url feild, so put it into content. The original link requires proficiency in Chinese language to comprehend.
If an application conceals a webview behind a login or other interface, and the webview opens appleid.apple.com, upon tapping the login button, the application can execute JavaScript to simulate clicking the login button of appleid.apple.com. If one fails to discern the disparity between "Sign in Apple ID" and "Sign in with Apple," the application can execute JavaScript to pilfer cookies associated with appleid.apple.com.
Following the aforementioned steps, the application will present an alert resembling "Sign in to iTunes Store." As you are aware, an app-generated "Sign in to iTunes Store" alert bears no distinction from a system-generated one. The sole means to verify whether the alert originates from the system is attempting to return to the home screen. If this goes unnoticed, the application will acquire your Apple ID password. This constitutes the primary concern, because logging into appleid.apple.com on a trusted device doesn't require 2FA, it only requires Face ID or Touch ID, whether you're logging in using Safari or WebView. The application can exploit JavaScript to modify your phone number used for two-factor authentication, thereby get the control of your Apple ID, enabling the attacker to use it for credit card theft.