In today's video I will demonstrate how one can fetch the Apple ID / iCloud e-mail address from the Accounts database that is exported when an iTunes creates a Backup. The Accounts database (accounts3.sqlite) saves the usernames of the authenticated services on the device, including these particular addresses. It is strange that Apple did not patch this yet, as this vulnerability has been present on iOS for a very long time. Of course, opening the SQLITE file requires a proper application to do so, and the database is not very easily understandable once you get in, but if you take a closer look at the table called "ZACCOUNT", you will be able to find a column called "ZUsername", there you will be able to get the e-mail addresses of the connected services including the iCloud ID.
Now the scenario is the following, let's say you bought an iPhone from eBay or Craigslist and it turned out to be activated, working but locked to an account you don't know. Since the device is activated you can use it until you first reset / restore it. By using this method, you can make an unencrypted backup and fetch the iCloud account e-mail of the owner to try to get in contact with him.
A side note, you will NOT find any passwords stored inside this database, the Keychain is not in this database, and therefore nothing sensitive (apart of the e-mail addresses) can be obtained.
This surely encourages you to encrypt your iTunes backups isn't it?
==Resources==
iBackUpBot (to open the backups)
DB Browser for SQLITE