Vote 2020 graphic
Everything you need to know about and expect during
the most important election of our lifetimes

Here's a Shockingly Easy Way To Skirt iCloud's Two-Factor Verification

Illustration for article titled Heres a Shockingly Easy Way To Skirt iClouds Two-Factor Verification

There's a major flaw in the way that Apple's iCloud syncs photos that makes it laughably easy for a hacker to get all those naked selfies that you never want the world to see — and it's possible to exploit even if you have two-factor verification enabled.


TUAW's Michael Rose did a simple experiment where he set the iCloud Control Panel on a brand new installation of Windows, logged in with his iCloud credentials and checked off the options to synchronize bookmarks and photos with this new PC. Within a few minutes, his entire photo stream had downloaded seamlessly onto this never-before-seen PC.


"I turned to my iCloud email account to wait for the obligatory "Your account was accessed from a new computer" courtesy alert... which never arrived", Rose writes.

Are you getting it? All a "hacker" has to do is guess your iCloud password. Once they have that, there's nothing stopping them from syncing your entire photo stream to their computers. You would have no idea, because Apple won't bother to inform you, which defeats the whole frigging point of having two-factor authentication in the first place.

Two-factor authentication on iCloud, is only triggered by a short list of interactions:

  • Signing in to your Apple ID management console to manage your account
  • Making an iTunes, App Store, or iBooks Store purchase from a new device
  • Getting Apple ID related support from Apple

If you're not doing these things, Apple is totally cool if you don't enter a confirmation code from another device. It's a strange omission in what is, otherwise, a fairly effective way to prevent bad guys from getting into your iCloud account, more troubling because Apple is the only major company that does this. If you install Dropbox or OneDrive on your PC, for instance, they will not let you in unless you enter your authenticator code period. That, folks, is how it's supposed to work.


"It's pretty clear that Apple's doing its best to guard your wallet with this implementation — anything that might cause a credit card charge via an unfamiliar iOS device is going to force you to authenticate," Rose writes.

When it comes to guarding your privacy, however? Apple's got a long way to go. [TUAW]


Share This Story

Get our newsletter


How is this any different from Google Drive or Sky Drive or Flickr or Photobucket or on, and on, and on. This is why users are told to use strong passwords. This why users are told not to use passwords that be easily guessed but still the most common password in the world is "12345678". How can you blame the service providers if users chose to ignore guidance about passwords? Let's face it, the only reason that we're even talking about this as it's such a well known problem is that some celebs nips got posted online.

PS. Gawker has some stones blaming others for lack of security. Your accounts got stolen big time exposing millions of users to the risk of stolen data for other services where they'd used the same password.