iOS 13 & iPadOS bug said to allow unauthenticated access to usernames & passwords
A bug in the current iOS 13 and iPadOS betas reportedly allows people to bypass security and access usernames and passwords in the Settings app -- though in practice, the issue is a relatively minor threat.
Within the app, people can repeatedly tap on the "Website & App Passwords" option and bypass Face ID, Touch ID, or a passcode, iDeviceHelp noted on Monday. The issue is minor as a device must already be unlocked to access Settings.
Apple has been warned about the problem, but has yet to acknowledge it. Betas are inherently prone to bugs however, making it likely Apple will patch the vulnerability before the finished versions of iOS 13 and iPadOS launch this fall.
The most recent public betas were issued on July 8. Indeed based on Apple's normal timing, fourth developer seeds should arrive sometime this week.
The iDeviceHelp clip was first spotted by 9to5Mac.
Within the app, people can repeatedly tap on the "Website & App Passwords" option and bypass Face ID, Touch ID, or a passcode, iDeviceHelp noted on Monday. The issue is minor as a device must already be unlocked to access Settings.
Apple has been warned about the problem, but has yet to acknowledge it. Betas are inherently prone to bugs however, making it likely Apple will patch the vulnerability before the finished versions of iOS 13 and iPadOS launch this fall.
The most recent public betas were issued on July 8. Indeed based on Apple's normal timing, fourth developer seeds should arrive sometime this week.
The iDeviceHelp clip was first spotted by 9to5Mac.
Comments
https://reddit.com/r/iOSBeta/comments/cbfgtb/bug_very_serious_bug_that_allows_anyone_to_view/
Sure, but I've long wished that Settings could be locked down with your biometric and password.
But there are other fairly common reasons, like court orders if you're in a bar and an attractive woman asks if she can put her phone number into your phone. Seems innocent enough, but watch out.
What would be worthy is knowing if this issue affects the current iOS 12? Does it? This was not mentioned.
As for why this happens, yes this is concerning. It seems to be a race condition where it's failing to check if it *should* be prompting for FaceID or TouchID. Essentially, the default is unlocked, with a check to see if it should be locked. I think it should be the opposite — locked by default, checking to see it should be unlocked. If my guess is accurate, then shame on Apple for how this is designed. I noticed the same thing with the lock screen on Macs. Wake up your Mac and the desktop is visible for a moment, then it displays the lock screen. I believe this is a design flaw, too.
Don't open that can of worms here. Females are considered saints on this forum.
Not sure how common this scam is though? I know women are using date rape drugs to steal your money and that is actually more common. You'd be surprised how many people have security turned off on their iPhones.
From the guy who got robbed:
"yeah I lock my phone with a pin and touch ID so i made the mistake of assumming it was secure. I have since locked Venmo with TouchId and pin"
I think these apps should require Touch/FaceID but maybe there's some legal protocol that doesn't allow to force security? IDK
Keep in mind though, that this is beta software and similar security flaws have been present in prior betas. (E.g. iOS 7 beta's flawed access to the photo library and contacts.)
Won’t the corporations love it once they have double the workforce so they can pay them half as much.
Seriously, even news about the progress of the developer betas would be interesting news to many readers of AI; and here we're even talking about software that many regular users have installed since it's publicly released by Apple. How the heck do you get that to being a "disservice"?
I regularly use this when letting someone try a game that I have on my work iPad, or whenever I need to show a person a digital ticket by presenting my phone.
This is either a news site or a marketing tool. Pick one. The constant comment-disabled marketing “articles” are getting much more frequent (and annoying), and the dismissal of issues as seen in THIS article are made worse by their proximity to that “sponsored content” and the verbose defensive editorials.