How is this a "major security flaw" when step one requires a thumbprint or passcode to access the settings in the first place? I appreciate you pointing out the bug that allows you to bypass the password barrier for deactivation- but for this to expose a vulnerability, the device would have to be stolen out of a user's hands or the user would have to leave their device unlocked. That's a societal/user flaw IMHO.
I would agree with that; however, it still is a bug that needs to be addressed. I buy and repair phones on the side for resale on eBay. I run the ESNs to see if they are clear and I check to see if icloud is logged in when I am buying a phone or iPad. If it shows me a blank login, I (up until this bug) could safely assume it is not icloud locked. It could be very easy for someone to purchase many phones with icloud logged in (not yet locked and no passcode) and then sell them on craigslist fooling even the knowledgeable buyers.
Add a comment...