Bug in iOS 7 Lets You Disable Find My iPhone/Delete iCloud Account Without a Password
A new security flaw in iOS 7.0.4 has been discovered that allows someone with potentially malicious intent to delete the iCloud account registered to an iOS device and disable Apple's Find My iPhone theft-deterrent feature without having to enter the password to that user's Apple ID.
Normally, when you try to disable Find My iPhone, or delete an iCloud account from an iOS device, Apple's iOS 7 operating system should prompt you to enter the password to the Apple ID of the account you're trying to modify. This feature was intended to help prevent device theft by keeping unwanted users from stealing and using your iOS device(s).
Unfortunately, this new bug that has been discovered allows the potentially malicious user to work a little goofy finger magic, and suddenly Apple's iOS 7 won't ask you for that password to that Apple ID anymore. You can check out the thorough video demonstration of this happening below:
For a mobile-friendly video link that works with our app, tap on the video link below:
This comes off as a major security issue, because this means that anyone that gets ahold of your device and has access to the Settings application could literally make your iOS device their own in a matter of seconds.
reports that they were able to confirm that the bug exists and can be exploited on multiple variations of iOS 7.0.4 devices, including iPhones and iPads, and also verified that the bug doesn't appear to be existent in Apple's upcoming iOS 7.1 firmware, which is currently in beta 5 as of Tuesday
If you're worried about being targeted by this bug, the best protection is to set a passcode or use Touch ID so that no one but you can get into your iOS device and launch the Settings application. Those that are jailbroken on iOS 7.0.4 will probably be willing to deal with the bug to keep their jailbreaks, so a passcode is probably the best idea.
Sources: Bradley Williams