Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
IOS Bug Iphone Operating Systems Privacy Security Apple

iOS 13 Ships With Known Lockscreen Bypass Flaw That Exposes Contacts (arstechnica.com) 19

An anonymous reader quotes a report from Ars Technica: Apple released iOS 13 with a bunch of new features. But it also released the new OS with something else: a bug disclosed seven days ago that exposes contact details without requiring a passcode or biometric identification first. Independent researcher Jose Rodriguez published a video demonstration of the flaw exactly one week ago. It can be exploited by receiving a FaceTime call and then using the voiceover feature from Siri to access the contact list. From there, an unauthorized person could get names, phone numbers, email addresses, and any other information stored in the phone's contacts list. An Apple representative told Ars the bypass will be fixed in iOS 13.1, scheduled for release on Sept. 24.
This discussion has been archived. No new comments can be posted.

iOS 13 Ships With Known Lockscreen Bypass Flaw That Exposes Contacts

Comments Filter:
  • by Wired In Blood ( 720155 ) on Friday September 20, 2019 @07:33PM (#59218612)
    As was pointed out on Ars in the comment section, this isn't anything new with apple iOS 12.1.1: https://support.apple.com/en-u... [apple.com] iOS 11.1: https://support.apple.com/en-u... [apple.com] iOS 10.2: https://support.apple.com/en-u... [apple.com] iOS 9.0.2: https://support.apple.com/en-u... [apple.com] iOS 8.1.1: https://support.apple.com/en-i... [apple.com] iOS 7.0.2: https://support.apple.com/en-u... [apple.com] iOS 6.1.3: https://support.apple.com/en-u... [apple.com] iOS 5.01: https://support.apple.com/en-u... [apple.com] iOS 4.2: https://support.apple.com/en-u... [apple.com]
  • ready when first used.
  • by SuperKendall ( 25149 ) on Friday September 20, 2019 @08:57PM (#59218752)

    Sorry but I don't even consider this a flaw.

    Someone would have to know your number to facetime you, AND have your phone physically in their possession. Already that is pretty much game over.

    Then from there you use Siri to access contacts. But that's a valid use case, why would you NOT want to be able to do that? Are you really going to block that on the off chance someone might actually do this?

    What I'm not clear on, is what people would deem a "correction" for this supposed flaw.

    • by ljw1004 ( 764174 ) on Friday September 20, 2019 @11:56PM (#59219082)

      Scenario 1. You meet someone new for a date. They surreptitiously get your phone while you're using the restroom or asleep, and they learn all your contacts and stalk you through them.

      Scenario 2. You're in an abusive marriage. You lock your phone. But your partner uses this bug to go through your contacts, finds your divorce lawyer, and beats you.

      Scenario 3. You're at a high school or college party. A bully gang grabs you, uses the bug to find your contacts, and outs you after discovering a LGBTQ helpline contact, an anorexia support contact, or a suicide support helpline. Or they find embarrassing pictures you've assigned to your contacts, or pet names for them.

      Yeah, I consider this a bug. If I lock my phone, I don't want any personal information leaking out of it.

      • by garote ( 682822 )

        Every one of these scenarios requires physical access. DO NOT LET RANDOM PEOPLE USE YOUR PHONE.

        In scenario 1 and 2 you're actually spending the night with the person, and in scenario 3 your problem is being physically assaulted by a gang of people. Physical access to the phone is hardly the emergency here. These people have nearly unfettered physical access to you.

        If you really have to go that far to paint this as an emergency, what's your point?

        • by ljw1004 ( 764174 )

          Every one of these scenarios requires physical access. DO NOT LET RANDOM PEOPLE USE YOUR PHONE.

          In scenario 1 and 2 you're actually spending the night with the person, and in scenario 3 your problem is being physically assaulted by a gang of people. Physical access to the phone is hardly the emergency here. These people have nearly unfettered physical access to you.

          If you really have to go that far to paint this as an emergency, what's your point?

          These are all cases where people have unfettered physical access to me, but I chose what of my inner life or personal stuff they get to see. I can sleep over at someone's house fine without chosing to reveal to them my innermost thoughts or secrets. I can go to a party with people I don't trust, and deliberately leave my precious jewelry at home so it doesn't get stolen. This is a case where an Apple device, one which previously could be entrusted to keep my secrets safe in realistic social situations, no l

  • They started manufacturing phones and imaging them with IOS 13 before the bug was known and fixed, so IOS 13 was locked down already. They will have a patch out within a week, so users will know it's coming and make the up date. If users with existing phones are SO concerned about it (a bug that is only useful if you have possession of the phone you are trying to exploit btw) then they can wait to do any upgrade for a week and won't be vulnerable to it at all.
    • Apple still sucks.. They spend a ton of money and effort locking down the phone so it doesn't actually belong to you. So you are perpetually Apple's b*tch unless you jailbreak it.
      • by Arkham ( 10779 )

        Apple still sucks.. They spend a ton of money and effort locking down the phone so it doesn't actually belong to you. So you are perpetually Apple's b*tch unless you jailbreak it.

        Stick with Android. Then you can be everyone's b*tch even without rooting it. See, hyperbole works both ways.

    • The big deal is that Apple marketing (including differences etc.) fraudulently portrays Apple as the competent players, who care about your security, when they do not care and they are not competent.

      If Apple were competent, they'd never have created this bug.

      If Apple cared about security, they would at minimum have delayed the release until the update was out. But that would probably cost them money since they've committed to a date, and their resellers would cry foul. Apple cares about money, not about you

      • I'd love to live in your world where apparently developers never introduce software bugs.....because of course no other OS provider has ever released a version with a security vulnerability.

        And no, the were not going to delay it's release it was tied to the iPhone 11 release that was yesterday.

        The question is - if a researcher knew Apple had this fix coming - was i ethical to make this vulnerability as widely known as he did by publicly releasing the info he did? Or was this more about making a name fo

        • If Apple were competent, they'd never have created this bug.

          I'd love to live in your world where apparently developers never introduce software bugs...

          That's not what I said, as you can see. Apple has more money than God. Literally, in that they have more cash on hand than there are funds managed by the Vatican Bank. The Vatican has several orders of magnitude more land, though... Anyhoo, the point is that Apple can afford to do more review than this. It shouldn't come down to one programmer, or even one team.

          The question is - if a researcher knew Apple had this fix coming - was i ethical to make this vulnerability as widely known as he did by publicly releasing the info he did? Or was this more about making a name for himself?

          No, that's a question, and one about which I'm ambivalent. I don't believe I need to lay out either argument, they're both pretty predictable.

      • by dgatwood ( 11270 )

        If Apple were competent, they'd never have created this bug.

        I would argue that if Apple were competent, it would not be possible to create this sort of bug. This points to a fairly fundamentally broken security model. Then again, I'm not sure what I expected from a phone operating system that historically ran everything as root. :-/

        The more disturbing thing is that that these sorts of glaring security bugs keep happening. When I saw this story, my reaction was, "Apple released a new major OS with a lock-

    • And it was discovered 9 days ago but he didn't give some the usual 30-90 days to path it before going public? Nice guy.
  • It doesn't matter that this bug is trivial.

    The real problem is APPLE BAD... because I can't customize the color scheme of the OS and side load malware...

    • Wait, you can't customize the color scheme of the OS? But this is Apple, ain't they the computer company that turned into a style company, the company that used to make computers but makes fashion accessories now? How do they plan to live up to their reputation if I can't match the look of my accessory to my outfit?

Avoid strange women and temporary variables.

Working...