iOS 13 & iPadOS bug said to allow unauthenticated access to usernames & passwords

Posted:
in iOS edited July 15
A bug in the current iOS 13 and iPadOS betas reportedly allows people to bypass security and access usernames and passwords in the Settings app -- though in practice, the issue is a relatively minor threat.

iOS 13 passwords


Within the app, people can repeatedly tap on the "Website & App Passwords" option and bypass Face ID, Touch ID, or a passcode, iDeviceHelp noted on Monday. The issue is minor as a device must already be unlocked to access Settings.

Apple has been warned about the problem, but has yet to acknowledge it. Betas are inherently prone to bugs however, making it likely Apple will patch the vulnerability before the finished versions of iOS 13 and iPadOS launch this fall.





The most recent public betas were issued on July 8. Indeed based on Apple's normal timing, fourth developer seeds should arrive sometime this week.





The iDeviceHelp clip was first spotted by 9to5Mac.

Comments

  • Reply 1 of 20
    ibanksibanks Posts: 9member
    First finding of this was on Reddit. Sent this to 9to5Mac 5 days ago and they credit IDeviceHelp. Lol. 

    [Bug] very serious bug that allows anyone to view your passwords by keep clicking on "Websites and app passwords"
    https://reddit.com/r/iOSBeta/comments/cbfgtb/bug_very_serious_bug_that_allows_anyone_to_view/
  • Reply 3 of 20
    SoliSoli Posts: 9,266member
    Within the app, people can repeatedly tap on the "Website & App Passwords" option and bypass Face ID, Touch ID, or a passcode, iDeviceHelp noted on Monday. The issue is minor as a device must already be unlocked to access Settings.

    Sure, but I've long wished that Settings could be locked down with your biometric and password.
    edited July 15 cornchipcaladanian
  • Reply 4 of 20
    MplsPMplsP Posts: 1,654member
    Wait - isn’t this a beta? Isn’t that what beta releases are about - finding and fixing bugs?
    PetrolDavelkrupp
  • Reply 5 of 20
    dewmedewme Posts: 2,152member
    Hmm, is anyone reading the "The issue is minor as a device must already be unlocked to access Settings" part?

    Who among us is allowing anyone other than themselves to access their unlocked iOS device?

    Okay, I'll concede that the lack of multi-user accounts on iOS devices invites such stupidity, but if you're letting other people play around with your iOS device when it's unlocked you're effectively handing out your wallet stuffed with credit cards to another person.

    Can't fix stupid.
    virtualshift
  • Reply 6 of 20
    SoliSoli Posts: 9,266member
    dewme said:
    Hmm, is anyone reading the "The issue is minor as a device must already be unlocked to access Settings" part?

    Who among us is allowing anyone other than themselves to access their unlocked iOS device?

    Okay, I'll concede that the lack of multi-user accounts on iOS devices invites such stupidity, but if you're letting other people play around with your iOS device when it's unlocked you're effectively handing out your wallet stuffed with credit cards to another person.

    Can't fix stupid.
    Sometimes it's just to show someone something or set something up for them. I do this often with friends and family. Now I'm evening doing this remotely with TeamViewer for iOS.

    But there are other fairly common reasons, like court orders if you're in a bar and an attractive woman asks if she can put her phone number into your phone. Seems innocent enough, but watch out.

    cornchip
  • Reply 7 of 20
    coolfactorcoolfactor Posts: 1,531member
    I think it's a disservice to the general public for media outlets to reports bugs during a beta-testing period. It screams of "click me! click me!". There are going to be bugs.

    What would be worthy is knowing if this issue affects the current iOS 12? Does it? This was not mentioned.

    As for why this happens, yes this is concerning. It seems to be a race condition where it's failing to check if it *should* be prompting for FaceID or TouchID. Essentially, the default is unlocked, with a check to see if it should be locked. I think it should be the opposite — locked by default, checking to see it should be unlocked. If my guess is accurate, then shame on Apple for how this is designed. I noticed the same thing with the lock screen on Macs. Wake up your Mac and the desktop is visible for a moment, then it displays the lock screen. I believe this is a design flaw, too.

    AppleExposedPetrolDavecommand_f
  • Reply 8 of 20
    AppleExposedAppleExposed Posts: 1,503unconfirmed, member
    Soli said:
    dewme said:
    Hmm, is anyone reading the "The issue is minor as a device must already be unlocked to access Settings" part?

    Who among us is allowing anyone other than themselves to access their unlocked iOS device?

    Okay, I'll concede that the lack of multi-user accounts on iOS devices invites such stupidity, but if you're letting other people play around with your iOS device when it's unlocked you're effectively handing out your wallet stuffed with credit cards to another person.

    Can't fix stupid.
    Sometimes it's just to show someone something or set something up for them. I do this often with friends and family. Now I'm evening doing this remotely with TeamViewer for iOS.

    But there are other fairly common reasons, like court orders if you're in a bar and an attractive woman asks if she can put her phone number into your phone. Seems innocent enough, but watch out.


    Don't open that can of worms here. Females are considered saints on this forum.

    Not sure how common this scam is though? I know women are using date rape drugs to steal your money and that is actually more common. You'd be surprised how many people have security turned off on their iPhones.

    From the guy who got robbed:
    "yeah I lock my phone with a pin and touch ID so i made the mistake of assumming it was secure. I have since locked Venmo with TouchId and pin"

    I think these apps should require Touch/FaceID but maybe there's some legal protocol that doesn't allow to force security? IDK
    edited July 15
  • Reply 9 of 20
    StrangeDaysStrangeDays Posts: 8,555member
    Soli said:
    dewme said:
    Hmm, is anyone reading the "The issue is minor as a device must already be unlocked to access Settings" part?

    Who among us is allowing anyone other than themselves to access their unlocked iOS device?

    Okay, I'll concede that the lack of multi-user accounts on iOS devices invites such stupidity, but if you're letting other people play around with your iOS device when it's unlocked you're effectively handing out your wallet stuffed with credit cards to another person.

    Can't fix stupid.
    Sometimes it's just to show someone something or set something up for them. I do this often with friends and family. Now I'm evening doing this remotely with TeamViewer for iOS.

    But there are other fairly common reasons, like court orders if you're in a bar and an attractive woman asks if she can put her phone number into your phone. Seems innocent enough, but watch out.

    Don't open that can of worms here. Females are considered saints on this forum.
    No, we just believe they’re equals who are entitled to the same rights career opportunities as men, and we refute the notion that hiring qualified women in tech means somehow lowering the bar for hiring standards. The posts on AI where women are part of the topic get heavily moderated because a whole lotta guys in tech are complete jackasses.
    edited July 16 SolichasmAppleExposedDAalsethcommand_fdysamoriamuthuk_vanalingam
  • Reply 10 of 20
    I think it's a disservice to the general public for media outlets to reports bugs during a beta-testing period. It screams of "click me! click me!". There are going to be bugs.

    What would be worthy is knowing if this issue affects the current iOS 12? Does it? This was not mentioned.

    As for why this happens, yes this is concerning. It seems to be a race condition where it's failing to check if it *should* be prompting for FaceID or TouchID. Essentially, the default is unlocked, with a check to see if it should be locked. I think it should be the opposite — locked by default, checking to see it should be unlocked. If my guess is accurate, then shame on Apple for how this is designed. I noticed the same thing with the lock screen on Macs. Wake up your Mac and the desktop is visible for a moment, then it displays the lock screen. I believe this is a design flaw, too.

    It doesn't work in iOS 12, but FaceID and the pop up have changed in iOS 13, so there is a possibility that this is the source of the issue, which could also mean that the same vulnerability may be present in other areas.
    Keep in mind though, that this is beta software and similar security flaws have been present in prior betas. (E.g. iOS 7 beta's flawed access to the photo library and contacts.)
  • Reply 11 of 20
    cornchipcornchip Posts: 1,390member
    No, we just believe they’re equals who are entitled to the same rights career opportunities as men, and...

    Won’t the corporations love it once they have double the workforce so they can pay them half as much.



    AppleExposed
  • Reply 12 of 20
    chasmchasm Posts: 1,667member
    Aaaaand THIS is why AI staffers and others on similar sites keep saying you really should not run betas (especially developer betas) unless you are running on expendable equipment with little personal data AND willing to file bug reports. Talking about it here does bupkis to get it fixed -- file a bug report.
    command_fdysamoria
  • Reply 13 of 20
    svanstromsvanstrom Posts: 201member
    I think it's a disservice to the general public for media outlets to reports bugs during a beta-testing period.
    A disservice to the public to learn about the security problems with the public betas that many of the visitors to AppleInsider use…?

    Seriously, even news about the progress of the developer betas would be interesting news to many readers of AI; and here we're even talking about software that many regular users have installed since it's publicly released by Apple. How the heck do you get that to being a "disservice"?
  • Reply 14 of 20
    svanstromsvanstrom Posts: 201member
    dewme said:
    Hmm, is anyone reading the "The issue is minor as a device must already be unlocked to access Settings" part?

    Who among us is allowing anyone other than themselves to access their unlocked iOS device?

    Okay, I'll concede that the lack of multi-user accounts on iOS devices invites such stupidity, but if you're letting other people play around with your iOS device when it's unlocked you're effectively handing out your wallet stuffed with credit cards to another person.

    Can't fix stupid.
    Guided access is there to be used… https://support.apple.com/en-us/HT202612 

    I regularly use this when letting someone try a game that I have on my work iPad, or whenever I need to show a person a digital ticket by presenting my phone.
  • Reply 15 of 20
    dysamoriadysamoria Posts: 2,283member
    Apple Insider writers need to stop being so dismissive about these issues when they report them. It’s either an issue or it’s not. Report it, if you think you need to, but don’t ALSO then attempt to dismiss it for whatever reason. The editorial content is already plenty defensive of Apple.

    This is either a news site or a marketing tool. Pick one. The constant comment-disabled marketing “articles” are getting much more frequent (and annoying), and the dismissal of issues as seen in THIS article are made worse by their proximity to that “sponsored content” and the verbose defensive editorials. 
    edited July 16
  • Reply 16 of 20
    crowleycrowley Posts: 6,017member
    dysamoria said:
    Apple Insider writers need to stop being so dismissive about these issues when they report them. It’s either an issue or it’s not. Report it, if you think you need to, but don’t ALSO then attempt to dismiss it for whatever reason. The editorial content is already plenty defensive of Apple.

    This is either a news site or a marketing tool. Pick one. The constant comment-disabled marketing “articles” are getting much more frequent (and annoying), and the dismissal of issues as seen in THIS article are made worse by their proximity to that “sponsored content” and the verbose and defensive editorials. 
    Yeah, the editorialising is eye-roll inducing, but you're mistaking AI for a news site, when in reality it's just a fan blog.  
    dysamoria
  • Reply 17 of 20
    muadibemuadibe Posts: 133member
    Why is the an article? I’m assuming the author is aware that this is a beta. Use the Feedback assistant. You come across as desperate for clicks here which might make some of us bypass you altogether. Please try and remain professional. You know better.
    dysamoria
  • Reply 18 of 20
    mike1mike1 Posts: 1,923member
    Soli said:
    Within the app, people can repeatedly tap on the "Website & App Passwords" option and bypass Face ID, Touch ID, or a passcode, iDeviceHelp noted on Monday. The issue is minor as a device must already be unlocked to access Settings.

    Sure, but I've long wished that Settings could be locked down with your biometric and password.
    Conversely, I would love an option so that no app is locked down once you've unlocked the phone.
  • Reply 19 of 20
    lkrupplkrupp Posts: 7,308member
    MplsP said:
    Wait - isn’t this a beta? Isn’t that what beta releases are about - finding and fixing bugs?
    Yes, absolutely. But this is Apple we’re talking about so the resident trolls waste no time in bashing iOS 13 over this. I think AI posted this report because so many dumbasses are running the iOS 13beta on their everyday iPhones/iPads so this could be an issue.
  • Reply 20 of 20
    dysamoriadysamoria Posts: 2,283member
    lkrupp said:
    MplsP said:
    Wait - isn’t this a beta? Isn’t that what beta releases are about - finding and fixing bugs?
    Yes, absolutely. But this is Apple we’re talking about so the resident trolls waste no time in bashing iOS 13 over this. I think AI posted this report because so many dumbasses are running the iOS 13beta on their everyday iPhones/iPads so this could be an issue.
    The resident trolls...? You mean the Apple Insider writer who authored this story?
    gatorguy
Sign In or Register to comment.