Snoops can bypass iOS 13 lock screen to eyeball your address book. Apple hasn't fix it yet. Valid flaw? You decide
Bug-hunter says Cupertino won't even pay $1 reward for security hole
Video Apple's very latest version of iOS appears to have the same sort of lock-screen bypass that plagued previous versions of the iThing firmware.
Researcher Jose Rodriguez told The Register that back in July he discovered how the then-beta-now-gold version of iOS 13 could be fooled into showing an iPhone's address book without ever having to unlock the screen.
The procedure, demonstrated below in a video, involves receiving a call and opting to respond with a text message, and then changing the "to" field of the message, which can be accomplished via voice-over. The "to" field pulls up the owner's contacts list, thus giving an unauthorized miscreant the ability to crawl through the address book without ever needing to actually unlock the phone.
To be clear, you need to have your hands physically on a victim's device, and call it from another phone, to exploit this shortcoming. You can also prevent this all from happening, apparently, by disabling "reply with message" in your iDevice's Face ID & Passcode settings, under the the "allow access when locked" section. By default, this feature is enabled, leaving iOS 13 users at risk out of the box.
Similar unlock workarounds have been demonstrated by Rodriguez and other researchers in the past.
These sort of information-disclosure bugs are generally considered low-risk security flaws, and are not quite at the level of critical vulnerabilities that allow remote code execution or one-touch pwnage flaws that bring seven-figure payouts from some platforms.
Still, you would think the discovery would at least net some sort of acknowledgement and reward from Apple. Rodriguez tells The Reg that when he contacted Apple staff about the find, he was given the cold shoulder – because researchers can't claim bug rewards on beta builds of the operating system, apparently.
"I contacted Apple asking for a gift in thanks for reporting a passcode bypass, Apple agreed to give me a gift," Rodriguez recounts.
"I reported the security problem and then Apple retracted, apologized and told me that it was not allowed to thank by giving gifts for security reports during beta period."
The "gift" in question? A $1 Apple Store card to keep as a trophy. It was not the monetary payout Rodriguez was interested in, rather the recognition from Apple for his latest find.
Not only that, but Rodriguez says that, despite sounding the alarm on the blunder months ago, his bypass method still works on the most recent gold builds of iOS 13, which will be officially released later this month and power Cupertino's forthcoming iThings. We'll have to see if shipping gear still suffers the issue.
Apple has yet to comment on the matter. ®
Updated to add
We understand the insecure-lock-screen iOS 13 will be officially released on September 19, and is available now as a beta. A fixed version, iOS 13.1, is due to land on September 30.