Researcher Jose Rodriguez told The Register that the latest version of iOS 13 is vulnerable to the same type of lock screen bypass as previous versions.
Rodriguez discovered a bug that allows opening the address book without unlocking the device, back in July of this year, when iOS 13 was in beta.
Like other similar bugs, this problem requires physical access to the device.
“Bypassing the lock screen includes receiving a call and selecting to answer the call with a text message. After that you need to change the “to” field value for this message using the voice-over functionality”, – says Jose Rodriguez.
As a result, the “to” field provides access to the contact list of the device owner, thereby giving an attacker the opportunity to examine the victim’s address book without having to unlock the iPhone.
The attack in action can be seen in the video:
To prevent such an attack is quite easy, just turn off the ability to answer the call with a text message from the lock screen in the settings. Unfortunately, by default in iOS 13 this feature is active.
Read also: Deepfake financial fraud: $ 243 thousand stolen from company
Rodriguez told reporters that although this is not a critical bug, he still contacted Apple, informing the company about the vulnerability, and asked for some gift as a reward for his find. Moreover, the expert did not ask for a large monetary reward, it was a question of an Apple Store card with a face value of 1 dollar in order to save it as a trophy. At first, the companies agreed to thank the researcher, but later they told him that there would be no “prize”, since iOS 13 was in beta at that time, and the researcher was not thanked for an error found in beta.
The researcher emphasizes that the bug has not yet been fixed and works even in the latest builds of iOS 13, which should be released later this month.
User Review
( votes)
