Granted, if you decide to make only some things available when an iPhone is locked, rather than enforcing a strict boundary, then problems like this are probably quite hard to stop. The Register reports that as of Friday, Apple hadn’t addressed the latest vulnerability. In 2013, he had found (yet again) a lockscreen bug in iOS 6.1.3 that let unauthorized people bypass the lockscreen on an iPhone 4 using nothing more than a paperclip.In 2015, he found an earlier bug in Siri that made the lockscreen in iOS 9 unsafe: again, the bug allowed anyone to see your photos and contacts.In 2016, Rodríguez found a Siri bug that allowed someone to bypass the lockscreen and gain access to contacts and photos. He’d already built a reputation for finding other iOS lock screen bypasses too.One of iOS 12’s biggest draws when it launched in mid-September was supposed to be the way it tightened up security. As in, the iOS 12.0.1 that Apple had released a week prior, to address a range of issues that had cropped up with iOS 12, including two separate lock screen bypass flaws Rodríguez published in late September 2018.Mid-October 2018: he comes up with a new iPhone iOS 12.0.1 lockscreen bypass that exposed your photos….Here’s the timeline I put together of his successful exploits leading up to this one. Doesn’t he deserve a little something?Įven if his latest isn’t terribly concerning from a security standpoint, his track record is kind of amazing.
Imazing scam serial#
OK… rules are rules… but… really? We’re talking about a serial lockscreen hacker, here. I reported the security problem and then Apple retracted, apologized and told me that it was not allowed to thank by giving gifts for security reports during beta period. I contacted Apple asking for a gift in thanks for reporting a passcode bypass, Apple agreed to give me a gift. First Apple said yes, Rodríguez said, then it said no: He told the Register that he wanted it as a trophy. That’s apparently why Apple reportedly reneged on its initial promise to pay Rodríguez the “gift” that he asked for.Īccording to the researcher, he wanted a $1 Apple Store card. Plus, the lockscreen workaround was found in a beta, which doesn’t really count as much as would a bug in a live product. EbgC4w04et- Andrew Maxey September 13, 2019 Would love additional confirmation, though. Was not able to reproduce the vulnerability any longer after disabling this option on the iOS 13 GM build. That feature is reportedly enabled by default in iOS 13.Īnd yet, seemingly mitigated by toggling the attached option. It’s also reportedly pretty easy to prevent: as a reader tweeted after The Register posted its story, you just need to go to Face ID & Passcode settings > Allow access when locked and toggle off the Reply with Message option. To exploit it, snoops have to get their hands on a victim’s device, and then they need to call it from another phone. The “to” field pulls up the phone’s contacts list, thus enabling randoms to paw through your contact list without needing to first unlock your phone. The researcher told The Register that he found this bypass in July, in what was then the beta of iOS 13.Īs the video shows, the bypass involves receiving a call and opting to respond with a text message, and then changing the “to” field of the message, which you can do via voice-over. Spanish security sleuth José Rodríguez on Friday posted a YouTube video of his most recent iOS lock-screen bypass: one that allows an iPhone to be tricked into showing its address book without the need to unlock the screen.
0 kommentar(er)
