With the official release of iOS 13 just around the corner, iPhone users are anxiously waiting for the update to try out the new features. However, before you all get excited, a bug has been discovered in the developer version (beta) of the upcoming operating system that allows anyone to access the contacts via the lock screen.
Researcher Jose Rodriguez was casually testing the beta version of iOS 13 in June when he discovered that he could access the information on the device’s address book without ever entering the passcode. As he demonstrates in the following video, the exploit needs special conditions in order to work – a combination of taps and voice commands, the setting of “reply with message” to be enabled, and of course, physical access on the device.
Although eyeing into one’s address book isn’t considered a critical vulnerability, it certainly is a privacy invasion that could have very easily been avoided. As iOS 13 has entered “Golden Master” two days ago, testers confirm that the issue is still there, so it’s one step away from having this pushed out to millions of devices. How come Apple ignored the report of this privacy bug since June? Probably, they don’t think of it as a critical flaw and reportedly never treated it as one.
Jose Rodriguez explains that when he first contacted Apple, he promised the tech company a way to bypass the passcode and access user data. In exchange, he asked for a $1 Apple Store gift card that he wanted to keep as a trophy. Apple agreed, and when the detailed report was submitted to them, their stance changed. They told him researcher that since the report concerned a product that’s in a beta stage of development, they were not allowed to give him any gifts. The same problem was reproduced and reported by other researchers in the period that followed, and Apple has apparently disregarded them all on similar grounds.
iOS 13 is planned for universal roll out on September 19, while the first bug-fixing version 13.1 is planned for the end of the month. This means that Apple still has time to address the privacy flaw, and make it impossible for someone to access your address book info.