An iOS 13 Bug Exposes Device Contacts While Exploiting FaceTime Call

After the launch of iOS 12, a researcher discovered back-to-back lock screen bypass flaws in the system exploiting various features. Every glitch made it possible for an attacker to access device data. Now, when iOS 13 is nearing its release, the same researcher has highlighted a similar lock screen bypass bug in iOS 13 exposing device contacts.

iOS 13 Lock Screen Bypass Bug Discovered

Jose Rodriguez, a Spanish researcher known for evaluating iOS bugs, has discovered a bug in iOS 13. He found a lock screen bypass vulnerability in the upcoming iOS 13 exposing user’s contacts stored in the device.

specifically, the attack requires the attacker having physical access to the target device to make a FaceTime call to it. Then, instead of answering the call, the attacker can choose to respond via text message while selecting ‘Custom’ option. The next step then requires activating the VoiceOver feature and changing the ‘to’ field of the message via voice commands. Eventually, the device opens up the contact list to the attacker. Now, it becomes easy to siphon device contacts data including numbers, and email addresses.

The researcher has demonstrated the attack in the following video.

Patch Not Expected Anytime Soon!

According to The Verge, Rodriguez reported this glitch to Apple in July this year. However, the bug is still present in the upcoming iOS 13 Gold Master (GM) version to be launched on September 19, 2019.

The researcher has also confirmed that the exploit does not work in the subsequent iOS 13.1 beta version. It means the patch for this bug will be available to users with iOS 13.1 version (due release on September 30, 2019).

Last year, the same researcher discovered similar lock screen bypass glitches with iOS 12 and iOS 12.1. Those bugs also exposed contacts and pictures stored in the device to an attacker.

Let us know your thoughts in the comments.

Related posts

Water Facilities Must Secure Exposed HMIs – Warns CISA

Microsoft December Patch Tuesday Arrived With 70+ Bug Fixes

NachoVPN Attack Risks Corporate VPN Clients