The procedure, demonstrated below in a video, involves receiving a call and opting to respond with a text message, and then changing the "to" field of the message, which can be accomplished via voice-over. The "to" field pulls up the owner's contacts list, thus giving an unauthorized miscreant the ability to crawl through the address book without ever needing to actually unlock the phone.
To be clear, you need to have your hands physically on a victim's device, and call it from another phone, to exploit this shortcoming. You can also prevent this all from happening, apparently, by disabling "reply with message" in your iDevice's Face ID & Passcode settings, under the the "allow access when locked" section. By default, this feature is enabled, leaving iOS 13 users at risk out of the box. Youtube Video Similar unlock workarounds have been demonstrated by Rodriguez and other researchers in the past.
These sort of information-disclosure bugs are generally considered low-risk security flaws, and are not quite at the level of critical vulnerabilities that allow remote code execution or one-touch pwnage flaws that bring seven-figure payouts from some platforms.
Still, you would think the discovery would at least net some sort of acknowledgement and reward from Apple. Rodriguez tells The Reg that when he contacted Apple staff about the find, he was given the cold shoulder – because researchers can't claim bug rewards on beta builds of the operating system, apparently.
Apple is releasing a new API to allow developers to add the new sign-in function to their apps for a more convenient way of logging in using Face ID without revealing additional personal information. The new sign-in feature is coming with Apple's new operating systems this fall and will be available across macOS, iOS, and through websites.
Breaking news: Apple un-breaks break on jailbreak break
"I contacted Apple asking for a gift in thanks for reporting a passcode bypass, Apple agreed to give me a gift," Rodriguez recounts.
"I reported the security problem and then Apple retracted, apologized and told me that it was not allowed to thank by giving gifts for security reports during beta period."The "gift" in question? A $1 Apple Store card to keep as a trophy. It was not the monetary payout Rodriguez was interested in, rather the recognition from Apple for his latest find.
Not only that, but Rodriguez says that, despite sounding the alarm on the blunder months ago, his bypass method still works on the most recent gold builds of iOS 13, which will be officially released later this month and power Cupertino's forthcoming iThings. We'll have to see if shipping gear still suffers the issue.
Apple has yet to comment on the matter. ®
Updated to add
We understand the insecure-lock-screen iOS 13 will be officially released on September 19, and is available now as a beta. A fixed version, iOS 13.1, is due to land on September 30.