An iOS 13 Bug Allows Unauthorized Access to the Data in 'Website & App Passwords' Settings

iOS 13 Security Vulnerability

Ask any fan of Apple products what makes their devices better than the rest, and one of the arguments that will inevitably crop up is the steady stream of software updates. Indeed, cold, hard statistics show that compared to Android users, for example, a much larger portion of iDevice owners get to enjoy the latest features of Apple's operating systems. There are quite a few features to enjoy as well.

iOS 12 appeared in September 2018, and if everything goes according to plan, its successor, iOS 13, should be launched just twelve months after it, in September of this year. This means that Apple still has a few months left to fix the inevitable bugs, fine-tune the new features, and iron out any stability issues, and the developer and public beta testing programs were established to help along. They appear to be doing a good job. Thanks to them, Apple recently learned about a rather serious security bug, which needs to be squashed decisively if people are to continue trusting their privacy with iDevices.

A Keychain vulnerability puts beta testers' passwords at risk

Many of you might know that users who rely exclusively on Apple devices can take advantage of something called the iCloud Keychain. It's a built-in password management tool that stores login and personal data and syncs it across Macs, iPhones, and iPads. Obviously, if Keychain is going to work as a proper password manager, the usernames and passwords need to be easily accessible. In iOS 12, Apple put the login credentials under the "Website & App Passwords" section inside the Settings menu, and by the looks of things, they will remain there in iOS 13 as well.

Getting to them should be easy for you, but it should be difficult for everyone else, which is why, when you tap Website & App Passwords, you'll see a prompt that requests authentication either through FaceID or TouchID or via a passcode.

Beta testers have found out that you can access the sensitive data without proving that you are authorized to do so, though. As it turns out, if you repeatedly tap the Website & App Passwords button about a dozen times and tap Cancel whenever the authentication window appears, you can get to the sensitive data.

Last week, the first reports of the bug appeared on Reddit, and since then, it's been discussed by media outlets like 9to5 Mac and a YouTube channel by the name of iDeviceHelp.

Apparently, the users that first shared their findings were seeing the bug on iOS 13's Public Beta 3 version, though other people said that it's been around since the very first beta.

There is some good news

The first thing you need to know is that the bug isn't as bad as some people claim. While a criminal can theoretically bypass the authentication prompt and open the list of login credentials, doing so requires two important things – physical access and an unlocked device.

The best thing about it is, the bug was found while Apple's upcoming operating system is still in beta. Apple is aware of the vulnerability, and some social media users think that it might have been fixed already. Thankfully, the overall impact on real users is limited. That being said, some beta testers tend to forget that they are using an unfinished product which should be approached with caution, especially if it's on their primary devices. Hopefully, this bug will serve as a warning for all participants in beta programs.

July 18, 2019

Leave a Reply

IMPORTANT! To be able to proceed, you need to solve the following simple math.
Please leave these two fields as is:
What is 9 + 4 ?