Apple apparently has a bit of work to do before it rolls out iOS 13 to the public later this month. The beta release has been available for quite some time now, and a security researcher has discovered a vulnerability on iOS 13 that could potentially expose a user’s entire contact information, without ever having to get past the lockscreen.
Jose Rodriguez discovered the flaw earlier this summer. According to his YouTube video demonstrating the sneaky lockscreen bypass (yes, another one), he notified Apple of the issue on July 17, though it is not clear if Apple acknowledged the bug to him.
Here’s a look at the flaw in action…
It is a rather simple hack—in the video above, Rodriguez activates a FaceTime session, then uses the voice over feature with Siri to spy the full list of contacts. From there, a user could click on any of the individual contacts on someone’s iPhone to see that individual’s personal details, such as their email address, physical address, and whatever else is saved.
The folks at The Verge tested this on an iPhone X running the Gold Master (GM) version of iOS 13, and said the bug is still present. Fortunately, the flaw does not allow users to access a person’s photographs, but the contact details are in full view.
Bugs like these require physical access to a smartphone and a bit of finagling, so they are not as dangerous as a remote hack. Still, it is unsettling that someone could look up sensitive details on a person’s phone without entering in a PIN code or any other security details.
There is good news, however—according to Rodriguez, Apple squashed the bug in the beta version of iOS 13.1. So, it is unlikely to be present in the final release that is due out on September 19, as as whichever version ships with the iPhone 11 family in November.