iOS 13 passcode bypass bug allows access to victim’s phone book

• A passcode bypass flaw has been discovered in iOS 13, which is scheduled to go live next week.
• This vulnerability allows the attacker access to the victim’s phone book, including contact names and email addresses.

Jose Rodriguez, a security researcher has reported a vulnerability that allows hackers to harvest contact details from the victim’s phonebook on locked devices. This vulnerability exists in the beta version of iOS 13.

What is a passcode bypass?

A passcode bypass is a vulnerability that allows access to the content on a device without proper authorization.

How can this be exploited?

The reported vulnerability can be exploited through a series of harmless steps, performed in a particular order.

1. Reply to an incoming call with a custom message.
2. Enable the VoiceOver feature.
3. Disable the VoiceOver feature.
4. Add a new contact to the custom message.
5. Click on the contacts image to open options menu and select ‘Add to existing contact’.
6. When the list of contacts appears, tap on the other contact to view its info.

This gives the attacker access to the victim’s entire phone book details. However, to exploit this hack, the device needs to support Siri for the VoiceOver feature and the attacker needs access to the device.

No fix released yet

The vulnerability was reported by Rodriguez on July 17th, but Apple is yet to patch it.

• He then made the details of the vulnerability live on September 11.
• This vulnerability, present in the Gold Master version of iOS 13 has also been confirmed by The Verge.
• Rodriguez observed that the vulnerability does not exist in iOS 13.1, which is expected to go live on September 30.

Apple is planning to release iOS 13 on September 19, and it isn’t clear if this vulnerability will be fixed by then.