Skip to main content

PSA: iOS 13 developer and public beta bug allows unauthenticated access to passwords saved in Settings

Update: iOS 13 beta 4 fixes this vulnerability.

iOS 13 is still in beta and therefore bugs are to be expected, but a recently-discovered security vulnerability in the operating system is especially worth noting. This iOS 13 bug makes it easy for someone to gain access to the “Website & App Passwords” data in Settings.

Essentially, when running iOS 13 developer beta 3 or the second public beta of iOS 13, it’s incredibly easy to bypass the Face ID or Touch ID authentication prompt in Settings when trying to access your iCloud Keychain passwords. The issue was first noted on Reddit.

As detailed by iDeviceHelp on YouTube, you can access all of the saved usernames and passwords in Settings by repeatedly tapping the “Website & App Passwords” menu and avoiding the Face ID or Touch ID prompt. After several tries, iOS 13 will show all of your passwords and logins, even if you never successfully authenticated with Face ID or Touch ID.

9to5Mac confirmed that this vulnerability is present in the latest iOS 13 developer beta. Apple has been informed of the issue via the Feedback app in iOS 13, but has yet to acknowledge it. The bug is also present in the latest betas of iPadOS 13.

Of course, in order to access the “Website & App Passwords” menu, someone would also need to unlock your device to begin with, whether it be through Face ID, Touch ID, or with your passcode.

By running an iOS beta, you accept a certain level of risk and this vulnerability is a good example of such risk. Though, it is notable that such a major security hole is present in the public beta of iOS 13, which Apple released ahead of schedule to users. Nonetheless, you should never expect an iOS beta to be perfectly secure and stable, especially only 6 weeks into the testing process.

Apple released iOS 13 beta 3 to developers on July 2nd. This means we’re likely just a day or two away from the release of iOS 13 beta 4. Ideally, iOS 13 beta 4 and iOS 13 public beta 3 will resolve this vulnerability, but there’s no guarantee.

To see the bug in action, watch the video below.

FTC: We use income earning auto affiliate links. More.

Hyper Prime deals
You’re reading 9to5Mac — experts who break news about Apple and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Mac on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel

Comments

Author

Avatar for Chance Miller Chance Miller

Chance is an editor for the entire 9to5 network and covers the latest Apple news for 9to5Mac.

Tips, questions, typos to chance@9to5mac.com