Mejri reported the "application-side input validation web vulnerability" to Apple in early June, and went public with details of the flaw on Monday this week after conversations with Apple's security team petered out.
"After we received no serious reply, we released the data," Mejri told El Reg in an email. Apple did not respond to a request for comment, and it's not clear if the vulnerability has been addressed.
"The vulnerability allows remote attackers to inject [their] own malicious script code," German-speaking Mejri explained.
"Successful exploitation of the vulnerability results in session hijacking, persistent phishing attacks, persistent redirect to external sources, and persistent manipulation of affected or connected service module context," he added.
A video showing how to exploit the hole can be watched below. ®