Web application security specialists have reported the finding of a new vulnerability in Apple’s new operating system iOS 13 beta version which, if exploited, gives threat actors full access to passwords, email addresses and any login data stored by the ‘Auto Fill’ system feature.
Because this version of the operating system is still in testing stages, the vulnerability scope is really limited, affecting only the participating users of the public test of this beta version.
According to web application security experts, the vulnerability provides hackers with access to all data stored in iCloud Keychain, Apple’s password management system, from which the ‘Auto Fill’ feature gets the information. To obtain the information, attackers simply must:
- Go to Settings
- Choose the Passwords and Accounts option
- Repeatedly tap in Website and Apps Passwords option
Doing so, the hacker will cancel the message from the Face ID/Touch ID security system, and after further attempts, they will gain access to all usernames and passwords stored on the system; finally, the threat actor can even make modifications to the compromised access credentials.
It is important to note that exploiting the vulnerability requires physical access to an unlocked iPhone or iPad, so the complexity of the attack increases considerably, web application security specialists say. The company has already been notified of the existence of this flaw, so it is highly likely that the company will fix this flaw in the next beta version of the iOS 13 and iPad OS 13.
Specialists from the International Institute of Cyber Security (IICS) mention that this version of the operating system includes multiple improvements and new features to enhance the privacy experience for Apple users.
While the error is serious, as it exposes a large amount of sensitive information, the company is in time to implement the necessary measures to fix this and other bugs that are discovered by users of the iOS 13 beta.