iOS 13 Bug Lets You Access Contacts Without Unlocking Your Phone

Posted on September 13, 2019 by Mehedi Hassan in Apple, iOS, Mobile with 12 Comments

A new bug discovered in iOS 13 has a major privacy flaw. The bug was first reported by Jose Rodriguez, who reported the issue to Apple in July, but the bug still works on the Gold Master (GM) version of iOS 13, which is expected to be released on September 19.

The Verge reports that this new bug allows users to exploit an issue with the lockscreen, allowing them to bypass having to unlock their phone and access the full list of Contacts on the phone, as well as the details for each individual contact — that includes the names, phone numbers, emails, etc.

Rodriguez shared a video demoing the exploit in action, and it seems to use a FaceTime call to activate VoiceOver, and then using Siri to get access to the Contacts list:

The exploit was confirmed to be working in the iOS 13.0 GM release, but Apple seems to have addressed the issue in iOS 13.1 betas, which is expected to arrive for the public on September 30.

The exploit would require physical access to a phone, but it is still a major security flaw in iOS that puts your privacy at risk. This also wouldn’t be the first time in the recent months where Apple has shipped versions of iOS with major privacy flaws.

Tagged with , ,

Join the discussion!

BECOME A THURROTT MEMBER:

Don't have a login but want to join the conversation? Become a Thurrott Premium or Basic User to participate

Register
Comments (13)

13 responses to “iOS 13 Bug Lets You Access Contacts Without Unlocking Your Phone”

  1. Stooks

    It is still in Beta right?

  2. SvenJ

    It does require physical access to the phone, which means prying it from the hands of most Apple users. And the fix is already out in beta.

  3. anoldamigauser

    So the plan would be to skip the update to 13.0 and wait for 13.1 to be released.

  4. jimchamplin

    Pretty hard to be super worried, since it means someone has to actually steal your phone to do it. Then exploiting what they learn means opening themselves up to be caught in a felony theft.

  5. ivarh

    This is not exactly what qualifies as a serious privacy issue. If this is serious how would a bug where someone could access a complete icloud accounts content be?


    Also this and all the other similar bugs accessed via the lockscreen is that they require siri access from the lookscreen to be turned on and use some sort of either timing issue or accessibility feature. If the worry that someone that gains physical access to your phone can access your private data turn off siri access while phone is locked.


    I't is rather fun (and tragically for apple) that apple seem unable to fix this problem since it keeps reoccurring every now and then. Something tells me they need to rewrite the lock screen software completely rather than patching specific problems as they are found.

  6. sandy

    The concern is Apple keep reintroducing bugs like this one.

    Google Project Zero's recent blog about that set of iOS bugs which allowed complete takeover of an iPhone revealed some really shoddy code which suggests Apple doesn't ensure code changes go through QA before being released, and that's the real concern because that bad process is guaranteed to introduce security vulnerabilities.

Leave a Reply