Snoops can bypass iOS 13 lock screen to eyeball your address book. Apple hasn't fix it yet. Valid flaw? You decide

Bug-hunter says Cupertino won't even pay $1 reward for security hole


Video Apple's very latest version of iOS appears to have the same sort of lock-screen bypass that plagued previous versions of the iThing firmware.

Researcher Jose Rodriguez told The Register that back in July he discovered how the then-beta-now-gold version of iOS 13 could be fooled into showing an iPhone's address book without ever having to unlock the screen.

The procedure, demonstrated below in a video, involves receiving a call and opting to respond with a text message, and then changing the "to" field of the message, which can be accomplished via voice-over. The "to" field pulls up the owner's contacts list, thus giving an unauthorized miscreant the ability to crawl through the address book without ever needing to actually unlock the phone.

To be clear, you need to have your hands physically on a victim's device, and call it from another phone, to exploit this shortcoming. You can also prevent this all from happening, apparently, by disabling "reply with message" in your iDevice's Face ID & Passcode settings, under the the "allow access when locked" section. By default, this feature is enabled, leaving iOS 13 users at risk out of the box.

Youtube Video

Similar unlock workarounds have been demonstrated by Rodriguez and other researchers in the past.

These sort of information-disclosure bugs are generally considered low-risk security flaws, and are not quite at the level of critical vulnerabilities that allow remote code execution or one-touch pwnage flaws that bring seven-figure payouts from some platforms.

Still, you would think the discovery would at least net some sort of acknowledgement and reward from Apple. Rodriguez tells The Reg that when he contacted Apple staff about the find, he was given the cold shoulder – because researchers can't claim bug rewards on beta builds of the operating system, apparently.

Apple

Breaking news: Apple un-breaks break on jailbreak break

READ MORE

"I contacted Apple asking for a gift in thanks for reporting a passcode bypass, Apple agreed to give me a gift," Rodriguez recounts.

"I reported the security problem and then Apple retracted, apologized and told me that it was not allowed to thank by giving gifts for security reports during beta period."

The "gift" in question? A $1 Apple Store card to keep as a trophy. It was not the monetary payout Rodriguez was interested in, rather the recognition from Apple for his latest find.

Not only that, but Rodriguez says that, despite sounding the alarm on the blunder months ago, his bypass method still works on the most recent gold builds of iOS 13, which will be officially released later this month and power Cupertino's forthcoming iThings. We'll have to see if shipping gear still suffers the issue.

Apple has yet to comment on the matter. ®

Updated to add

We understand the insecure-lock-screen iOS 13 will be officially released on September 19, and is available now as a beta. A fixed version, iOS 13.1, is due to land on September 30.


Keep Reading

Big Tech to face its Ma Bell moment? US House Dems demand break-up of 'monopolists' Apple, Amazon, Facebook, Google

'These once scrappy, underdog startups have become the kinds of monopolies we last saw in the era of oil barons and railroad tycoons'

Google yanks Apple Silicon Chrome port after browser is found to 'crash unexpectedly'

Updated You'll have to run x64 version through the Rosetta emulation layer, or give it access to the Mac Bluetooth radio

If you're on invite-only tech-testing scheme, take care with Amazon's Alexa-powered answer to Google's Glass

iFixit reveals repair won't be trivial

Google, Amazon pass on UK Digital Services Tax by hiking ad prices, fees at same rate the government takes

Which means you get to pay, because cost of ads, sellers' fee hikes are built into prices, so once the tech titans charge more ... you get the drift

At historic Apple, Amazon, Facebook, Google CEOs hearing, congressmen ramble, congresswomen home in on tech market abuse

Analysis We watched six hours of congressional hearings so you didn’t have to

Facebook, Amazon, Apple, Google told: If you could cough up a decade of your internal emails, that'd be great

Oh, and you have four weeks to comply, says US antitrust probe

Amazon and Google: Trust us, our smart-speaker apps are carefully policed. Boffins: Yes, well, about that...

Who can you trust these days?

Remind us again, why work for AWS? Petty Amazon sues marketing veep after he defects to Google Cloud

Hyperscalers spar in non-compete, NDA spat

Biting the hand that feeds IT © 1998–2020