New iOS 7 Bug Allows Disabling Of "Find My iPhone" Without Password

When Apple launched iOS 7, I was very happy to see some security features they have added to the new iOS like “KeyChain” and “Find My iPhone” which was automatically enabled and no one can disable Find My iPhone without your Apple ID password. But it looks like there is a new major flaw has been discovered that allows users to disable “Find My iPhone” without needing to write the required password.

And what’s worse is, the flaw isn’t difficult to exploit. The bug can be reproduced on any device [that we’ve seen] running iOS 7.0.4 by following a few simple steps that involve making changes in the iCloud section of the Settings app and entering in a dummy password…

Remember, Find My iPhone also prevent anyone to restore your iPhone via iTunes without typing the required password.. 

And here’s the first video of the flaw, first spotted by MacRumors:

And the accompanying text from the person who discovered the bug:

“MAJOR Security flaw in Find My iPhone iCloud Lock BYPASS. Activation Lock Bypass. This video is to show a security flaw in apple’s find my iphone feature so apple can fix thi. I tried to contact apple and nobody has responded.”

Obviously, this won’t work on a device that has Touch ID or Passcode enabled, since an attacker would have to make it passed the Lock screen to get to the Settings app, and it doesn’t look like the bug disables Activation Lock. But nevertheless, it’s still a fairly big security concern.

We were able to replicate the bug on an iPhone 5s running iOS 7.0.4, and MacRumors confirms it exists on the iPad as well. The good news, though, is that the site says they weren’t able to reproduce the problem on devices running iOS 7.1, suggesting it’s going to be patched soon.