There is reportedly a security hole in Apple’s two-step verification, with installs of iCloud Control Panel on Windows only requiring you to enter your Apple ID and Password without additional verification. This app gives you access to data such as Photos stored in iCloud. This flaw was reported by The Unofficial Apple Weblog, and we are currently confirming its validity.
Apple introduced two step verification in March 2013, but its implementation seems to be focused more on protecting purchases than data. When activated, two-step verification is required for every program or device where you can make purchases, but not with the iCloud Control Panel.
iCloud Control Panel syncs mail, contacts, calendars and browser bookmarks, and also downloads any photos taken with connected iOS devices like iPhones. As it doesn’t currently require two-step verification, if someone gets ahold of your login details, they would have access to your photo stream (and the above data).
It’s important to stress that it is not easy to get ahold of someone’s Apple ID login details. They can only be learned by using phishing or ‘social engineering’ (tricking you into giving your details away). However, having one part of the iCloud not covered by the two step verification system is an oversight by Apple, and it should be fixed.
We still recommend enabling two-step verification, as it does make your devices more secure, and Apple will no doubt address this flaw very soon.
Source: TUAW
Related Stories
Apple denies widespread security breach, says celebrities were targeted
What you need to know about syncing photos in iCloud
Apple is ‘actively investigating’ possible iCloud security breach
Follow Jonathan on Twitter: @jonathanriggall