Snoops can bypass iOS 13 lock screen to eyeball your address book. Apple hasn't fix it yet. Valid flaw? You decide

Bug-hunter says Cupertino won't even pay $1 reward for security hole


Video Apple's very latest version of iOS appears to have the same sort of lock-screen bypass that plagued previous versions of the iThing firmware.

Researcher Jose Rodriguez told The Register that back in July he discovered how the then-beta-now-gold version of iOS 13 could be fooled into showing an iPhone's address book without ever having to unlock the screen.

The procedure, demonstrated below in a video, involves receiving a call and opting to respond with a text message, and then changing the "to" field of the message, which can be accomplished via voice-over. The "to" field pulls up the owner's contacts list, thus giving an unauthorized miscreant the ability to crawl through the address book without ever needing to actually unlock the phone.

To be clear, you need to have your hands physically on a victim's device, and call it from another phone, to exploit this shortcoming. You can also prevent this all from happening, apparently, by disabling "reply with message" in your iDevice's Face ID & Passcode settings, under the the "allow access when locked" section. By default, this feature is enabled, leaving iOS 13 users at risk out of the box.

Youtube Video

Similar unlock workarounds have been demonstrated by Rodriguez and other researchers in the past.

These sort of information-disclosure bugs are generally considered low-risk security flaws, and are not quite at the level of critical vulnerabilities that allow remote code execution or one-touch pwnage flaws that bring seven-figure payouts from some platforms.

Still, you would think the discovery would at least net some sort of acknowledgement and reward from Apple. Rodriguez tells The Reg that when he contacted Apple staff about the find, he was given the cold shoulder – because researchers can't claim bug rewards on beta builds of the operating system, apparently.

Apple

Breaking news: Apple un-breaks break on jailbreak break

READ MORE

"I contacted Apple asking for a gift in thanks for reporting a passcode bypass, Apple agreed to give me a gift," Rodriguez recounts.

"I reported the security problem and then Apple retracted, apologized and told me that it was not allowed to thank by giving gifts for security reports during beta period."

The "gift" in question? A $1 Apple Store card to keep as a trophy. It was not the monetary payout Rodriguez was interested in, rather the recognition from Apple for his latest find.

Not only that, but Rodriguez says that, despite sounding the alarm on the blunder months ago, his bypass method still works on the most recent gold builds of iOS 13, which will be officially released later this month and power Cupertino's forthcoming iThings. We'll have to see if shipping gear still suffers the issue.

Apple has yet to comment on the matter. ®

Updated to add

We understand the insecure-lock-screen iOS 13 will be officially released on September 19, and is available now as a beta. A fixed version, iOS 13.1, is due to land on September 30.


Other stories you might like

  • Stolen university credentials up for sale by Russian crooks, FBI warns
    Forget dark-web souks, thousands of these are already being traded on public bazaars

    Russian crooks are selling network credentials and virtual private network access for a "multitude" of US universities and colleges on criminal marketplaces, according to the FBI.

    According to a warning issued on Thursday, these stolen credentials sell for thousands of dollars on both dark web and public internet forums, and could lead to subsequent cyberattacks against individual employees or the schools themselves.

    "The exposure of usernames and passwords can lead to brute force credential stuffing computer network attacks, whereby attackers attempt logins across various internet sites or exploit them for subsequent cyber attacks as criminal actors take advantage of users recycling the same credentials across multiple accounts, internet sites, and services," the Feds' alert [PDF] said.

    Continue reading
  • Big Tech loves talking up privacy – while trying to kill privacy legislation
    Study claims Amazon, Apple, Google, Meta, Microsoft work to derail data rules

    Amazon, Apple, Google, Meta, and Microsoft often support privacy in public statements, but behind the scenes they've been working through some common organizations to weaken or kill privacy legislation in US states.

    That's according to a report this week from news non-profit The Markup, which said the corporations hire lobbyists from the same few groups and law firms to defang or drown state privacy bills.

    The report examined 31 states when state legislatures were considering privacy legislation and identified 445 lobbyists and lobbying firms working on behalf of Amazon, Apple, Google, Meta, and Microsoft, along with industry groups like TechNet and the State Privacy and Security Coalition.

    Continue reading
  • SEC probes Musk for not properly disclosing Twitter stake
    Meanwhile, social network's board rejects resignation of one its directors

    America's financial watchdog is investigating whether Elon Musk adequately disclosed his purchase of Twitter shares last month, just as his bid to take over the social media company hangs in the balance. 

    A letter [PDF] from the SEC addressed to the tech billionaire said he "[did] not appear" to have filed the proper form detailing his 9.2 percent stake in Twitter "required 10 days from the date of acquisition," and asked him to provide more information. Musk's shares made him one of Twitter's largest shareholders. The letter is dated April 4, and was shared this week by the regulator.

    Musk quickly moved to try and buy the whole company outright in a deal initially worth over $44 billion. Musk sold a chunk of his shares in Tesla worth $8.4 billion and bagged another $7.14 billion from investors to help finance the $21 billion he promised to put forward for the deal. The remaining $25.5 billion bill was secured via debt financing by Morgan Stanley, Bank of America, Barclays, and others. But the takeover is not going smoothly.

    Continue reading

Biting the hand that feeds IT © 1998–2022