iOS 13 Ships With Known Lockscreen Bypass Flaw That Exposes Contacts (arstechnica.com) 19
An anonymous reader quotes a report from Ars Technica: Apple released iOS 13 with a bunch of new features. But it also released the new OS with something else: a bug disclosed seven days ago that exposes contact details without requiring a passcode or biometric identification first. Independent researcher Jose Rodriguez published a video demonstration of the flaw exactly one week ago. It can be exploited by receiving a FaceTime call and then using the voiceover feature from Siri to access the contact list. From there, an unauthorized person could get names, phone numbers, email addresses, and any other information stored in the phone's contacts list. An Apple representative told Ars the bypass will be fixed in iOS 13.1, scheduled for release on Sept. 24.
This is par the course for apple (Score:4, Informative)
Re: This is par the course for apple (Score:1)
PRISM (Score:1)
Is this even really a flaw (Score:3, Insightful)
Sorry but I don't even consider this a flaw.
Someone would have to know your number to facetime you, AND have your phone physically in their possession. Already that is pretty much game over.
Then from there you use Siri to access contacts. But that's a valid use case, why would you NOT want to be able to do that? Are you really going to block that on the off chance someone might actually do this?
What I'm not clear on, is what people would deem a "correction" for this supposed flaw.
Re: Is this even really a flaw (Score:5, Insightful)
Scenario 1. You meet someone new for a date. They surreptitiously get your phone while you're using the restroom or asleep, and they learn all your contacts and stalk you through them.
Scenario 2. You're in an abusive marriage. You lock your phone. But your partner uses this bug to go through your contacts, finds your divorce lawyer, and beats you.
Scenario 3. You're at a high school or college party. A bully gang grabs you, uses the bug to find your contacts, and outs you after discovering a LGBTQ helpline contact, an anorexia support contact, or a suicide support helpline. Or they find embarrassing pictures you've assigned to your contacts, or pet names for them.
Yeah, I consider this a bug. If I lock my phone, I don't want any personal information leaking out of it.
Re: (Score:2)
Every one of these scenarios requires physical access. DO NOT LET RANDOM PEOPLE USE YOUR PHONE.
In scenario 1 and 2 you're actually spending the night with the person, and in scenario 3 your problem is being physically assaulted by a gang of people. Physical access to the phone is hardly the emergency here. These people have nearly unfettered physical access to you.
If you really have to go that far to paint this as an emergency, what's your point?
Re: (Score:2)
Every one of these scenarios requires physical access. DO NOT LET RANDOM PEOPLE USE YOUR PHONE.
In scenario 1 and 2 you're actually spending the night with the person, and in scenario 3 your problem is being physically assaulted by a gang of people. Physical access to the phone is hardly the emergency here. These people have nearly unfettered physical access to you.
If you really have to go that far to paint this as an emergency, what's your point?
These are all cases where people have unfettered physical access to me, but I chose what of my inner life or personal stuff they get to see. I can sleep over at someone's house fine without chosing to reveal to them my innermost thoughts or secrets. I can go to a party with people I don't trust, and deliberately leave my precious jewelry at home so it doesn't get stolen. This is a case where an Apple device, one which previously could be entrusted to keep my secrets safe in realistic social situations, no l
I don't see the big deal (Score:2)
Re: (Score:1)
Re: (Score:2)
Apple still sucks.. They spend a ton of money and effort locking down the phone so it doesn't actually belong to you. So you are perpetually Apple's b*tch unless you jailbreak it.
Stick with Android. Then you can be everyone's b*tch even without rooting it. See, hyperbole works both ways.
Re: (Score:2)
The big deal is that Apple marketing (including differences etc.) fraudulently portrays Apple as the competent players, who care about your security, when they do not care and they are not competent.
If Apple were competent, they'd never have created this bug.
If Apple cared about security, they would at minimum have delayed the release until the update was out. But that would probably cost them money since they've committed to a date, and their resellers would cry foul. Apple cares about money, not about you
Re: (Score:2)
I'd love to live in your world where apparently developers never introduce software bugs.....because of course no other OS provider has ever released a version with a security vulnerability.
And no, the were not going to delay it's release it was tied to the iPhone 11 release that was yesterday.
The question is - if a researcher knew Apple had this fix coming - was i ethical to make this vulnerability as widely known as he did by publicly releasing the info he did? Or was this more about making a name fo
Re: (Score:2)
If Apple were competent, they'd never have created this bug.
I'd love to live in your world where apparently developers never introduce software bugs...
That's not what I said, as you can see. Apple has more money than God. Literally, in that they have more cash on hand than there are funds managed by the Vatican Bank. The Vatican has several orders of magnitude more land, though... Anyhoo, the point is that Apple can afford to do more review than this. It shouldn't come down to one programmer, or even one team.
The question is - if a researcher knew Apple had this fix coming - was i ethical to make this vulnerability as widely known as he did by publicly releasing the info he did? Or was this more about making a name for himself?
No, that's a question, and one about which I'm ambivalent. I don't believe I need to lay out either argument, they're both pretty predictable.
Re: (Score:2)
I would argue that if Apple were competent, it would not be possible to create this sort of bug. This points to a fairly fundamentally broken security model. Then again, I'm not sure what I expected from a phone operating system that historically ran everything as root. :-/
The more disturbing thing is that that these sorts of glaring security bugs keep happening. When I saw this story, my reaction was, "Apple released a new major OS with a lock-
Re: I don't see the big deal (Score:2)
But this is /. (Score:2)
It doesn't matter that this bug is trivial.
The real problem is APPLE BAD... because I can't customize the color scheme of the OS and side load malware...
Re: (Score:3)
Wait, you can't customize the color scheme of the OS? But this is Apple, ain't they the computer company that turned into a style company, the company that used to make computers but makes fashion accessories now? How do they plan to live up to their reputation if I can't match the look of my accessory to my outfit?