About a month ago we made an article showing that several iCloud features are still unprotected even with 2-step verification enabled. One was the duo iMessage and FaceTime if you don't know what 2-step verification is, it's worth reading this Apple support article.
When using your Apple ID to register iMessage and / or FaceTime on any computer /iGadget (yours or not), the system * did not * confirm (via two-step verification) if you were really you. In other words, anyone who has your password could register with iMessage / FaceTime and impersonate you in a conversation.
The good part that fortunately Apple fixed this flaw, as reported by The Guardian. The bad thing is that, in my view, the implementation was not the best.
Instead of requesting the four digits sent to a user's trusted device, Apple preferred to use an app-specific password to enable the feature. For this, the user has to enter the page ?My Apple ID? (which is not adapted for mobile devices, if the person is configuring the resources in a iGadget), enter the four numbers sent to a trusted device, enter ?Password and security? and generate the blessed app-specific password.
Still, it is still a great news related to security.