A security clanger has been spotted in the current beta version of iOS 13 which allows anyone to access a user’s stored web and app passwords without having to authenticate.
Affecting iOS 13 public beta 2, developer beta 3, and iPadOS 13 betas, the issue appears to have surfaced first on Reddit, complete with a brief demo video later expanded with commentary on YouTube channel iDeviceHelp.
The issue can be reproduced by repeatedly tapping on Website & App Passwords menu (Settings > Password & Accounts) which stores credentials used by the web autofill function.
Normally, tapping on this menu should prompt iOS to ask for Face ID or Touch ID authentication, which indeed it does if the user only taps a few times.
However, tapping 20 or more times in quick succession, while cancelling the authentication prompts at the same time, eventually gives access to the passwords. Once in, the passwords can be changed and shared with other devices.
Nick of time
The barriers to an attack are still quite high – an attacker would need physical access to an unlocked iPhone or iPad – but even by beta standards it’s still an unfortunate flaw to uncover.
One could argue that this is what public betas are for – finding flaws, both minor and serious. It’s also easy to imagine that a flaw that is so hard to trigger could easily have been missed and ended up in the final version of iOS 13 due for release to the public in September.
The next public betas of iOS 13 are said to be imminent, although it’s not yet clear whether Apple will have fixed the issue by then. If you’re one of the enthusiasts running public betas, this weakness will be one to check for when it appears.
On the plus side, when it does finally arrive, iOS 13 will feature a number of security tweaks, including telling users which apps are tracking them.
3 comments on “Big password hole in iOS 13 beta spotted by testers”
doesn’t appear to be present in the 3rd public beta
Sounds more like an intentional back door than a flaw.
It will be replaced with tap this while holding that, count to three and push this – Ding, full access. Government bla bla bla.
This bug was fixed in Dev Beta 4 / Public Beta 3. Stop trying to scare people by posting outdated Beta Test bugs.