Flaw in Apple’s iOS 12 allows an attacker to access contacts and photos in iPhone XS model
A passcode bypass vulnerability has been discovered in Apple’s new iOS version 12 that could allow an attacker to access photos and contact details on a locked iPhone XS as well as other Apple devices.
Jose Rodriguez, a Spain-based clerk who claims to be an Apple enthusiast, discovered the vulnerability released a video on his YouTube channel under the account name Videosdebarraquito that shows a complicated 37-step bypass process in Spanish.
The process involves tricking Siri, Apple’s VoiceOver screen reader feature, and Notes application. The video also shows that the method works on iPhones running the iOS 12.1 beta and iOS 12, including models which have Face ID or Touch ID biometric security.
However, in order to take advantage of the vulnerability, the targeted iPhone must be in the hands of the attacker to work. The vulnerability allows the attacker to access images by editing a contact and changing the image associated with that contact.
Although Apple had built in some security measures to stop this from taking place, the video below shows that Rodriguez figured out a way to sidestep those security barriers.
The above bypass method has been authenticated by an independent news site, Threatpost. This passcode bypass works on any iPhone running iOS 12 and on various iPhone models including iPhone XS. Besides this, the hack also allowed access to other features such as the entire address book, it allowed to make calls, and create a custom text message.
It appears that the flaw has not been patched by Apple with the iOS 12.1 beta. The Cupertino giant has yet to comment on the issue.
For those concerned can prevent this attack by navigating to Settings > Face ID & Passcode (that’s Settings > Touch ID & Passcode (on iPhones with Touch ID) and disabling the Siri toggle under the “Allow access when locked” menu.