A flaw in iOS 13, the new iPhone operating system Apple released Thursday, exposes contact details stored in iPhones without requiring a passcode or biometric identification. And Apple has known about the flaw since July, a person who reported the bug to Apple told CNN Business.
A hacker would need physical access to a target’s phone to complete the hack — but once it is in their possession they could bypass Apple’s standard security features like facial I.D. Once they have done so, they can access the phone’s address book and see information for contacts stored on the phone, as well as indications of the most recent contacts with whom the phone’s owner had been communicating.
Jose Rodriguez, a cybersecurity enthusiast, living in the Canary Islands, contacted Apple on July 3rd suggesting that he had found a “passcode bypass” and asked if his findings would be eligible for an Apple Security Bounty — a program that rewards security researchers who bring bugs to Apple’s attention.
Apple promptly followed-up on Rodriguez’s tip and company staff had several calls with the researcher during which he walked them through the vulnerability on a beta version of the software, Rodriguez said.
Rodriguez provided copies of the emails and phone records of his correspondences with Apple to CNN Business.
Suspecting Apple might not fix the flaw before releasing the new operating system to its customers, Rodriguez last week went public with his findings.
CNN Business was able to replicate the exploit on Tuesday on iPhones that had updated to the official version of iOS 13.
Apple confirmed that the exploit Rodriguez identified would be fixed in the next version of the operating system, iOS 13.1, which is due to be released on September 24th.
The company previously moved the release date for that update forward from September 30th. The company declined to say if Rodriguez’s discovery had prompted the early release.