PSA: iOS 13 developer and public beta bug allows unauthenticated access to passwords saved in Settings
iOS 13 is still in beta and therefore bugs are to be expected, but a recently-discovered security vulnerability in the operating system is especially worth noting. This iOS 13 bug makes it easy for someone to gain access to the “Website & App Passwords” data in Settings.
Sylvania HomeKit Light Strip
Essentially, when running iOS 13 developer beta 3 or the second public beta of iOS 13, it’s incredibly easy to bypass the Face ID or Touch ID authentication prompt in Settings when trying to access your iCloud Keychain passwords.
As detailed by iDeviceHelp on YouTube, you can access all of the saved usernames and passwords in Settings by repeatedly tapping the “Website & App Passwords” menu and avoiding the Face ID or Touch ID prompt. After several tries, iOS 13 will show all of your passwords and logins, even if you never successfully authenticated with Face ID or Touch ID.
9to5Mac confirmed that this vulnerability is present in the latest iOS 13 developer beta. Apple has been informed of the issue via the Feedback app in iOS 13, but has yet to acknowledge it. The bug is also present in the latest betas of iPadOS 13.
Of course, in order to access the “Website & App Passwords” menu, someone would also need to unlock your device to begin with, whether it be through Face ID, Touch ID, or with your passcode.
By running an iOS beta, you accept a certain level of risk and this vulnerability is a good example of such risk. Though, it is notable that such a major security hole is present in the public beta of iOS 13, which Apple released ahead of schedule to users. Nonetheless, you should never expect an iOS beta to be perfectly secure and stable, especially only 6 weeks into the testing process.
Apple released iOS 13 beta 3 to developers on July 2nd. This means we’re likely just a day or two away from the release of iOS 13 beta 4. Ideally, iOS 13 beta 4 and iOS 13 public beta 3 will resolve this vulnerability, but there’s no guarantee.
To see the bug in action, watch the video below.