That seems to be an entirely different point. Krebs suggests repeatedly that all you need to do to get hacked is click "Allow" in the push notification. This is demonstrably false.

"Assuming the user manages not to fat-finger the wrong button" means "assuming the user clicks Don't Allow". They call on the phone to try and convince the user to say Allow next time.

Of course that's kinda BS too, because the only time "Allow" gives you a six digit code is if you successfully authenticate your apple ID on a new device. If you get the reset password dialog, the result of Allow is not a six digit code, it just allows you to reset the password. Yourself. On your device.

Are you reading the second half of the sentence I posted? Sorry but I'm not understanding where you are coming from - Krebbs lays out clearly in the first paragraph how the attack works and you seem to be deliberately ignoring that.

Are you reading the first half of the sentence you posted? They are clearly implying pressing the wrong button would be dangerous.

It’s a bit confused about what exactly the problem is, so is a little self-contradictory (including elsewhere in the article).

No? I thought I specifically addressed that. They call you on the phone and ask for a code you won't have, even if you hit Allow.

What I find interesting is that Krebs didn't do any legwork to verify the claims before publishing.

Why wouldn't you have the code? I thought your device shows the code when you press 'allow'.