A major flaw has been discovered in iOS 7 that seemingly allows users to disable the important ‘Find My iPhone’ feature on a device without typing in the typically-required password. Turning off the feature on a stolen device makes it invisible to Apple’s location service.
And what’s worse is, the flaw isn’t difficult to exploit. The bug can be reproduced on any device [that we’ve seen] running iOS 7.0.4 by following a few simple steps that involve making changes in the iCloud section of the Settings app and entering in a dummy password…
Here’s a video demonstration of the flaw, first spotted by MacRumors:
And the accompanying text from the person who discovered the bug:
“MAJOR Security flaw in Find My iPhone iCloud Lock BYPASS. Activation Lock Bypass. This video is to show a security flaw in apple’s find my iphone feature so apple can fix thi. I tried to contact apple and nobody has responded.”
Obviously, this won’t work on a device that has Touch ID or Passcode enabled, since an attacker would have to make it passed the Lock screen to get to the Settings app, and it doesn’t look like the bug disables Activation Lock. But nevertheless, it’s still a fairly big security concern.
We were able to replicate the bug on an iPhone 5s running iOS 7.0.4, and MacRumors confirms it exists on the iPad as well. The good news, though, is that the site says they weren’t able to reproduce the problem on devices running iOS 7.1, suggesting it’s going to be patched soon.