[CRITICAL] Full account takeover without user interaction on sign with Apple flow

An account takeover was detected with our sign-up with Apple flow where an email parameter was manipulated in the request flow to our servers. This scenario can only be performed on a previously unlinked apple ID account with Glassdoor. Changing the email in the request flow allowed the researcher to takeover a dummy account and performed the actions on a dummy account without the user knowing about it. We have rectified this behavior since the report and are ignoring the email parameter in the request flow and solely relying on the token provided via the linking flow. We did not detect any abuse of the above behavior in our logs since the time it was introduced except for the researcher and our tests. We want to thank the researcher @emanelyazji for their cooperation, patience, and collaboration in this report.