A newly publicized vulnerability in the latest iOS 13 betas could potentially expose your website and app passwords if you aren’t careful.
The security flaw was first discovered by Redditors and has since shown up in an iDeviceHelp YouTube clip. In a nutshell, it could allow someone with physical access to your unlocked device to read your website and app passwords without authenticating.
By default, accessing the Website & App Passwords pane in Settings requires a user to authenticate with Face ID or Touch ID — even if their device is unlocked. But a bug present in the latest iOS 13 and iPadOS betas could allow a potential attacker to bypass that.
Essentially, quickly and repeatedly tapping on the Website & App Passwords icon may allow an attacker to bypass the authentication step and gain access to the menu, which reveals app or website login information in plaintext.
- While we couldn’t replicate the bug on an iPhone XS Max running the latest developer beta, we were able to exploit the vulnerability an iPhone SE running the latest public beta.
- Community user reports indicate that the bug is present on devices like the iPhone X, XR
It’s worth noting that the vulnerability isn’t an especially major one as far as real-world risk. As mentioned earlier, an attacker would need physical access to your unlocked iOS device. That being said, the bug could certainly be exploited in the real-world to view your passwords.
On the other hand, the bug is a good illustration of why we don’t recommend installing beta software on your daily drivers. Think back to all of the times you’ve handed your device to someone unlocked. With this vulnerability, each of those times could have exposed your website and app password data.
The vulnerability has apparently been reported to Apple, but the company has yet to acknowledge it.
Presumably, Apple will patch the flaw in a future beta version of iOS 13. We should be expecting new beta versions of iOS 13 and iPadOS in the next few days, but it remains unclear whether those updates will squash the bug.
There’s currently no mitigation for the flaw. So, until Apple fixes it, we recommend keeping a close eye on any device that’s running a beta version of iOS 13 or iPadOS.