An apparent bug in Apple’s payment systems may be inadvertently leaking sensitive credit card information to random strangers.
There are at least two reported cases of the issue happening on Reddit. Both users ran across the bug when attempting to add a new credit card to their Apple accounts (specifically for iTunes purchases). During or after the add payment process, they discovered a stranger’s billing information.
“I went to update my payment info in iOS 13 and while doing so, it showed me info for a Discover card and the woman’s full billing address,” Redditor createdbyeric wrote.
The leaked data seems to include a person’s full name, billing address and the last four digits of their credit card information.
“… when I saved the card someone else’s credit card was saved!” user Thanamite wrote. “A woman’s from Illinois. I have her full name, billing address and last 4 digits of her credit card.”
Importantly, neither of the users knew the person whose data was appearing on their devices. It appeared to be a complete and random stranger.
Both of the reported instances occurred on devices running iOS 13. At least one of the handsets was a brand new iPhone 11 Pro Max. At this point, it’s not clear if this bug is related to specific devices, iOS 13 or Apple’s payment backend systems.
It’s not clear if this is a new issue or if it’s been around for any length of time. At least one other Redditor said in the comments that they sometimes see a random credit card from China showing up as a suspected payment card since a year ago.
Similarly, it isn’t unclear if this bug simply leaks the credit card information to strangers, or if it will actually allow strangers to use the card as a payment method. While both instances are serious, the latter would arguably be a much bigger breach of security.
Both Thanamite and createdbyeric reported the issue to Apple Support. According to reports by both users, Apple is taking the security flaw extremely seriously.
Apple senior management and technology engineers appear to be investigating the problem. According to additional information from Thanamite, the underlying bug could be tied to iCloud Keychain.
While these are the only two reports that we’ve seen so far, the issue could very well be more widespread. If you notice this issue on your own device, we highly recommend contacting Apple Support.