iOS 7 was the first release from Apple that required users to disable Find My iPhone before an iCloud account could be deleted or a device could be factory reset. To disable Find My iPhone, of course, one needs to know the password for the associated Apple ID – or at least, they used to.
A recently discovered vulnerability now allows users to bypass this requirement in a pretty easy manner. As shown in the clip below, one simply needs to tap “delete account” and the toggle switch to disable Find My iPhone at the same time. From there, simply hold down the power button to turn the phone off.
Power the handset back up and you’ll now be able to go into the iCloud control panel and delete the account without being prompted for a password. After that, it’s a breeze to connect the phone to iTunes and restore it. And since Activation Lock requires Find My iPhone to be enabled, it won’t activate once the phone has been restored.
It’s a pretty serious flaw as anyone with access to your phone could essentially reset it. That is, of course, if you aren’t using a passcode or Touch ID. At present, we aren’t aware of any hack that allows a user to bypass the lock screen or Touch ID so that first line of defense appears to be solid for now.
With any luck, Apple will issue a minor patch in the coming days / weeks to remedy this bug.