The vulnerability in question lies in the way that Jelly Bean handles the flow of requests when a user attempts to change one of the many security locks in the operating system.
The researchers who discovered a serious vulnerability in Android 4.3 Jelly Bean that enables a malicious app to disable the security locks on a vulnerable device have published a proof-of-concept app that exploits the bug, as well as source code for the app.