[TheRecord] Researcher discloses iPhone lock screen bypass on iOS 15 launch day

On the day Apple released iOS 15, a Spanish security researcher disclosed an iPhone lock screen bypass that can be exploited to grant attackers access to a user’s notes.

In an interview with The Record, Jose Rodriguez said he published details about the lock screen bypass after Apple downplayed similar lock screen bypass issues he reported to the company earlier this year.

“Apple values reports of issues like this with up to $25,000 but for reporting a more serious issue, I was awarded with $5,000,” the researcher wrote on Twitter last week.

In hopes Apple realizes that is being tightwad rewarding security bug reports, and reconsider the bounties. https://t.co/g6TEIWmVDJ

— Jose Rodriguez (@VBarraquito) September 15, 2021

Rodriguez said he was referring to lock screen bypasses tracked as CVE-2021-1835 and CVE-2021-30699, which Apple patched in April and May, respectively.

The two issues allowed threat actors to access instant messaging apps like Twitter, WhatsApp, or Telegram even while the phone was locked [video here].

“Apple mitigated this, [but] didn’t fix at all, and they never asked me if the issue was fixed,” Rodriguez told The Record today.

Because of the unprofessional way Apple handled his bug report, the researcher published today a variation of the same bypass, but this time one that uses the Apple Siri and VoiceOver services to access the Notes app from behind the screen lock.

Rodriguez has now added his name today to a long list of security researchers who have criticized Apple for how it handles its public bug bounty program.

Washington Post article published two weeks ago contained similar accusations from other researchers about how the company’s security team was leaving bug reports unsolved for months, shipping incomplete fixes, low-balling monetary rewards, or banning researchers from their program when they complained.

The post Researcher discloses iPhone lock screen bypass on iOS 15 launch day appeared first on The Record by Recorded Future.

Source: Read More (The Record by Recorded Future)

You might be interested in …

CTF Scoreboard

CTF Scoreboard

All posts, PHP

This is the scoreboard script used in the NCSC-FI #tietoturvahaaste-hackathon / CTF. It’s a very simple script that you can set up to show scores in a competition. It requires a web server running PHP. Copy the files and folders to the directory that serves your webpages. Open in browser and F11 for full screen. The […]

Read More

[ZDNet] Citizen Lab researcher disputes claims from NSO Group after UK court finds UAE ruler used Pegasus to hack ex-wife, lawyers

All posts, ZDNet

“Would NSO Group have notified Princess Haya’s lawyers had I not done my own notification?” Citizen Lab’s William Marczak told ZDNet. Source: Read More (Latest topics for ZDNet in Security)

Read More

Daily NCSC-FI news followup 2020-11-29

Hacker Lexicon: What Is the Signal Encryption Protocol? www.wired.com/story/signal-encryption-protocol-hacker-lexicon/ LAST WEEK, WITH little fanfare, Google announced a change that could soon make its 2 billion Android users worldwide far harder to surveil: The tech giant says it’s rolling out a beta version of its Android messaging app that will now use end-to-end encryption by default. […]

Read More

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.