Just few days before Apple plans to release iOS 13, a security researcher has disclosed a passcode bypass that lets you to view the contacts on a locked device.
A passcode bypass is a vulnerability that allows someone to access the content on a device even when that device is locked. On iOS devices, when a device is locked, users should not be able to view the device’s stored information such as contacts, pictures, messages, etc.
The security researcher, Jose Rodriguez publicly disclosed the passcode bypass that uses a mixture of harmless steps that when done together allow you to gain access to a devices contacts even when it is locked.
In order to demonstrate the passcode bypass, Rodriguez created a YouTube video showing how easy it is to see a device’s contact information.
The steps to reproduce this bypass are:
- Reply to an incoming call with a custom message.
- Enable the VoiceOver feature.
- Disable the VoiceOver feature
- Add a new contact to custom message
- Click on the contacts image to open options menu and select “Add to existing contact”.
- When the list of contacts appears, tap on the other contact to view its info.
Rodriguez explained in the video description that he contacted Apple about this vulnerability on July 17th, 2019 while iOS is still in beta. He publicly disclosed the vulnerability on September 11th and Apple had still not fixed the bug.
Apple has planned to release iOS 13 on September 19th, and it is not sure if this bug will be fixed by that time.
The security researcher has earlier found passcode bypasses versions in 12.0.1 and 12.1 of the iOS operating system.
The best method to protect your phone from bugs like this is to always have it in your possession and not leave it around for others to access until a patch is released.