A newly discovered bug in iOS 7 allows attackers to disable the Find My iPhone feature without entering a password. The way the exploit works is by going into the settings to attempt and change someone’s iCloud credentials.
Entering a random password into the password field, backing out, and then changing the description of the iCloud account will allow an attacker to disable the Find My iPhone feature. Furthermore, the exploit allows the complete removal of an iCloud account on the device as well. This means someone could theoretically unlink your phone with your iCloud account without knowing your password.
In order to protect yourself against this type of attack, be sure to enable Touch ID if you have an iPhone 5s or to enable a Passcode if you don’t. Since an attacker won’t be able to access your settings without your Touch ID or Passcode, you will be safe from the attack.
I successfully replicated this exploit with an iPad running iOS 7.0.4, though MacRumors reports that the exploit doesn’t work with the beta release of iOS 7.1. Perhaps Apple is already aware of the flaw and is working to patch it in an upcoming update.
Source: MacRumors | Bradley Williams (YouTube)
