A developer has posted on YouTube a video of a security bug present in iOS 13 that, however, will only be fixed at the end of the month. Contacts at risk
We're only three days away from the official launch of Apple's new mobile operating system, scheduled for September 19, but iOS 13 already seems to have some serious security issues. Apple has known about it since July, but preferred to postpone the fix to this problem to the next version 13.1.
The youtuber Jose Rodriguez (who publishes on the channel "videosdebarraquito") discovered it: it is possible to access an iPhone with iOS 13 without entering any security code, using FaceTime and exploiting a bug in Siri. In a few moves, as Rodriguez has shown, you can access the contacts of the smartphone even when it is locked. Rodriguez says he already warned Apple about the vulnerability back in July, but this flaw will still be present in the first release of iOS 13, while it will only be fixed starting with iOS 13.1, which is scheduled to be released on September 30.
How the iOS 13 bug works
To access all of an iPhone's contacts without unlocking it, using the iOS 13 vulnerability discovered by Jose Rodriguez, you need to physically hold the smartphone in question. Then you will have to launch a FaceTime call to the phone number of said smartphone. At this point, even if the phone is locked, we'll be able to enable and then disable VoiceOver, which is the screen-reading utility for the visually impaired that works thanks to the digital assistant Siri. From now on, we'll be able to freely access the iPhone's contacts: we'll be able to read and even edit them.
Apple knows this
Although this vulnerability requires physical possession of the smartphone to be exploited, it's clearly a fairly serious security bug. Rodriguez claims to have sent a demonstration video about this vulnerability to Apple on July 17. In previous videos, Rodriguez himself had shown how to access contacts on iOS 12.1, still without unlocking the phone. Then again, iOS has a long history of "insecurities" in address book management: versions 6.1, 7, 8.1 and 12.1 all had bugs very similar to this one.
Finally, Rodriguez says that the bug is no longer present in iOS 13.1, the first update to Apple's new mobile operating system, which will arrive on September 30. At this point there will be about 10 days of "hole", during which Apple smartphone owners would do well to be very careful not to leave their phones unattended.