CVE-2014-2019

Vulnerability

The iCloud subsystem in Apple iOS before 7.1 contains a flaw that allows physically proximate attackers to bypass the required password when turning off Find My iPhone or completing a Delete Account action. The bypass is triggered by entering an arbitrary iCloud Account Password value and a blank iCloud Account Description value. This affects all iOS devices running versions prior to 7.1.

Exploitation

An attacker must have physical access to the unlocked device. They navigate to the iCloud settings, attempt to disable Find My iPhone or delete the account, and then enter any password (e.g., a random string) while leaving the iCloud Account Description field blank. The system incorrectly accepts this input and proceeds without proper authentication.

Impact

Successful exploitation allows the attacker to disable Find My iPhone, which removes activation lock and device tracking. Alternatively, they can complete a Delete Account action, disassociating the device from the legitimate Apple ID. The attacker can then associate the device with a different Apple ID, potentially locking the original owner out of their device and iCloud services.

Mitigation

Apple addressed this issue in iOS 7.1, released on March 10, 2014, as documented in their security advisory [1]. Users should update to iOS 7.1 or later to remediate the vulnerability. No workarounds are available for unpatched versions.