'Sign in with Apple' flaw let attackers take over accounts