Even though iOS 13 won't be released until September 19th, a security researcher named Jose Rodriguez has already posted a YouTube video
(via The Verge
) showing off an exploit he discovered on the next major build of Apple's mobile operating system. By making a FaceTime call and then enabling the Siri VoiceOver feature, an iPhone user can gain access to a phone owner's contacts list. That can provide the hacker with a list of phone numbers, email addresses, street addresses and more all without unlocking the device. The phone owner's photos are still protected. VoiceOver allows Siri to read the text that appears on an iPhone's display and is considered an accessibility feature for those who are blind or suffer from impaired vision.
Rodriguez says that he sent Apple a video showing the vulnerability back on July 17th, but it still shows up in the Gold Master (GM) version of iOS 13 that will be disseminated next week. Using the GM version of iOS 13 on an iPhone X
, The Verge was able to duplicate the screen lock bypass. Last year, Rodriguez discovered a similar exploit on iOS 12.1
that allowed hackers to not only access the phone user's contacts but his or her photos as well. Apple subsequently patched this issue in a later update. VoiceOver was also instrumental in yet another similar exploit that allowed hackers to view an iPhone user's contacts
with iOS 8 installed.
Like the exploit he discovered last year, the new iOS 13 vulnerability requires that the hacker get a hold of the target's iPhone long enough to complete the entire process. It also requires a second phone to initiate the FaceTime call with the target iPhone. Apple is expected to have this exploit patched in iOS 13.1, which should be rolled out starting on September 30th.
The video that Rodriguez sent to Apple can be found below.