Researcher continues exploring iCloud security, some media outlets continue to overreact
Russian security researcher Vladimir Katalov gave a talk last week at Hack in the Box security conference detailing his findings on Apple's iCloud protocols. Katalov's research highlights several shortcomings in iCloud's security model, including the fact that iCloud data is not protected by the two-step verification system Apple rolled out earlier this year.
Katalov's talk seems to be largely based on research he initially discussed this past May. The primary concern raised is that even if a user has two-step verification turned on, an attacker could download an iCloud backup from Apple's servers even if they "only" possess a victim's Apple ID and password. If a malicious person is able to obtain your Apple ID and password, and they possess software capable of downloading iCloud backups (like the kind that Katalov's own company sells starting at $1,399), they will be able to retrieve your backed-up iCloud data. The only way to prevent an attacker in possession of those credentials and tools would be to not use iCloud.
Despite what many sites are reporting, this isn't some new vulnerability that's just been discovered. Katalov even said as much on his site back in May:
Is it a newly discovered security flaw? No, not really. Is Apple misguiding its customers? No: their two-step authentication process does exactly what they say it does.
Over time we will continue to see Apple improve security for people and their data. Two-step verification was introduced earlier this year as a way to stymy criminals who were abusing stolen Apple IDs to commit fraud. Two-step verification has significantly increased the difficulty of such an attack. It's clear that the system is not without its shortcomings, but hopefully in time we will see Apple continue to refine and enhance their security.