Here's a Shockingly Easy Way To Skirt iCloud's Two-Factor Verification

There's a major flaw in the way that Apple's iCloud syncs photos that makes it laughably easy for a hacker to get all those naked selfies that you never want the world to see — and it's possible to exploit even if you have two-factor verification enabled.

TUAW's Michael Rose did a simple experiment where he set the iCloud Control Panel on a brand new installation of Windows, logged in with his iCloud credentials and checked off the options to synchronize bookmarks and photos with this new PC. Within a few minutes, his entire photo stream had downloaded seamlessly onto this never-before-seen PC.

"I turned to my iCloud email account to wait for the obligatory "Your account was accessed from a new computer" courtesy alert... which never arrived", Rose writes.

Are you getting it? All a "hacker" has to do is guess your iCloud password. Once they have that, there's nothing stopping them from syncing your entire photo stream to their computers. You would have no idea, because Apple won't bother to inform you, which defeats the whole frigging point of having two-factor authentication in the first place.

Two-factor authentication on iCloud, is only triggered by a short list of interactions:

  • Signing in to your Apple ID management console to manage your account
  • Making an iTunes, App Store, or iBooks Store purchase from a new device
  • Getting Apple ID related support from Apple

If you're not doing these things, Apple is totally cool if you don't enter a confirmation code from another device. It's a strange omission in what is, otherwise, a fairly effective way to prevent bad guys from getting into your iCloud account, more troubling because Apple is the only major company that does this. If you install Dropbox or OneDrive on your PC, for instance, they will not let you in unless you enter your authenticator code period. That, folks, is how it's supposed to work.

"It's pretty clear that Apple's doing its best to guard your wallet with this implementation — anything that might cause a credit card charge via an unfamiliar iOS device is going to force you to authenticate," Rose writes.

When it comes to guarding your privacy, however? Apple's got a long way to go. [TUAW]