There's a major flaw in the way that Apple's iCloud syncs photos that makes it laughably easy for a hacker to get all those naked selfies that you never want the world to see — and it's possible to exploit even if you have two-factor verification enabled.
TUAW's Michael Rose did a simple experiment where he set the iCloud Control Panel on a brand new installation of Windows, logged in with his iCloud credentials and checked off the options to synchronise bookmarks and photos with this new PC. Within a few minutes, his entire photo stream had downloaded seamlessly onto this never-before-seen PC.
"I turned to my iCloud email account to wait for the obligatory "Your account was accessed from a new computer" courtesy alert... which never arrived", Rose writes.
Are you getting it? All a "hacker" has to do is guess your iCloud password. Once they have that, there's nothing stopping them from syncing your entire photo stream to their computers. You would have no idea, because Apple won't bother to inform you.
Two-factor authentication on iCloud, as Rose points out, is only triggered by a short list of interactions: getting Apple ID support from Apple, signing into the My Apple ID management console, or making an iTunes, App Store or iBooks purchase from a new device. If you're not doing these things, Apple is totally cool if you don't enter a confirmation code from another device. It's a strange omission in what is, otherwise, a fairly effective way to prevent bad guys from getting into your iCloud account.
"It's pretty clear that Apple's doing its best to guard your wallet with this implementation — anything that might cause a credit card charge via an unfamiliar iOS device is going to force you to authenticate," Rose writes.