Connect with us

The Online Technology

iOS 13 tricked into showing your contacts – Naked Security

Security Watch

iOS 13 tricked into showing your contacts – Naked Security


Mr. Lockscreen Bypass has done it again.

Spanish security sleuth José Rodríguez on Friday posted a YouTube video of his most recent iOS lock-screen bypass: one that allows an iPhone to be tricked into showing its address book without the need to unlock the screen.

The researcher told The Register that he found this bypass in July, in what was then the beta of iOS 13.

As the video shows, the bypass involves receiving a call and opting to respond with a text message, and then changing the “to” field of the message, which you can do via voice-over. The “to” field pulls up the phone’s contacts list, thus enabling randoms to paw through your contact list without needing to first unlock your phone.

This isn’t a terribly serious bug. To exploit it, snoops have to get their hands on a victim’s device, and then they need to call it from another phone.

It’s also reportedly pretty easy to prevent: as a reader tweeted after The Register posted its story, you just need to go to Face ID & Passcode settings > Allow access when locked and toggle off the Reply with Message option. That feature is reportedly enabled by default in iOS 13.

Plus, the lockscreen workaround was found in a beta, which doesn’t really count as much as would a bug in a live product. That’s apparently why Apple reportedly reneged on its initial promise to pay Rodríguez the “gift” that he asked for.