A security researcher has published details of a new lockscreen bypass technique that can be used to access iPhone (opens in new tab) content without supplying a passcode or other form of authentication.
The technique abuses quirks in Apple’s Siri and VoiceOver services and could allow an attacker to retrieve information stored in the iPhone Notes app, in which users have been known to store account credentials and other sensitive information.
In a tweet (opens in new tab) published last week, researcher Jose Rodriguez explained the vulnerability is present in iOS 14.8 and the pre-launch iOS 15 (opens in new tab) release candidate. He has since also confirmed that the public iOS 15 build, which arrived yesterday, suffers from the same problem.
- Here's our list of the best iPhone antivirus (opens in new tab) apps around
- We've built a list of the best smartphones for businesses (opens in new tab)
- Check out our list of the best antivirus (opens in new tab) services out there
Apple bug bounty controversy
According to Rodriguez, the decision to disclose the iPhone bug on iOS 15 launch day was a very deliberate one, made in protest of the standard of the Apple bug bounty program.
This is the second time Rodriguez has discovered an iPhone vulnerability of this sort. In a previous instance, he reported the issue directly to Apple, but was unimpressed by the way in which the company handled his disclosure and the compensation he received.
“Apple values reports of issues like this up to $25,000,” he wrote, in reference to the latest vulnerability. “But for reporting a more serious issue I was awarded with $5,000.”
In a later tweet (opens in new tab), he explained he had decided to disclose the new vulnerability publicly “in hopes Apple realizes it is being tightwad rewarding security bug reports, and reconsider the bounties (sic)”.
This is not the first time in recent weeks the company’s bug bounty program has come under fire. Earlier this month, reports emerged (opens in new tab) of a massive backlog of unfixed bugs and general frustration among security professionals who have engaged with Apple.
TechRadar Pro has asked Apple for comment on the criticisms of its program, but the company is yet to respond.
- Check out our list of the best business tablets (opens in new tab)
Via TheRecord (opens in new tab)