Apple has iOS 13.1 ready for release tomorrow to fix some performance and reliability issues with iOS 13 but we’ve also heard two reports of what users think could be an iOS 13 payment method security flaw.
Reported by Neowin, two users on Reddit shared about a problem when they updated their payment method for Apple’s services on iOS 13. Curiously, when the users updated their credit card information, an unknown user’s information popped up including name, address, and last four of their credit card number.
From Reddit user Thanamite over the weekend:
Today I decided to change my iTunes credit card. I used the take picture feature. It read my card well but then when I saved the card someone else’s credit card was saved! A woman’s from Illinois. I have her full name, billing address and last 4 digits of her credit card!
Then yesterday, another Reddit user, createdbyeric, experienced what sounds like the same thing:
As the title says. I went to update my payment info in iOS13 and while doing so, it showed me info for a Discover card (no one I know even has one of these) and the woman’s full billing address.
I took screen shots of everything and am going to report this to Apple ASAP however, I just read a post here on Reddit, not sure if it was this sub or another sub related to iOS/iPhone who posted the exact same issue.
creadtedbyeric explains that when reporting the issue to Apple, they seemed to take it very seriously and have escalated both his and Thanamite’s cases.
UPDATE: Spent about 40 minutes on the phone with Apple. They are aware of my issue and I was able to reference the case number of u/Thanamite from his post and they are taking the issue very serious. I was transferred an senior manager who quickly acknowledged how big of an issue this was and he will be escalating both our cases to higher ups. While this is a pretty scary issue, this is why I love Apple as a company. I was worried they wouldn’t take the issue serious but everyone I spoke too took this matter very serious. Thanks u/MustandV6Premium for helping me find the referenced post
These are the first two reports we’ve seen about this potential bug. Even though both users had updated to iOS 13, we don’t know if it is specifically an iOS 13 issue and could be a bug with Apple’s backend payment system more generally. We’ll update this post if more details come to light.
Update: Steve Troughton-Smith shared more in a Twitter response that this doesn’t sound like an iOS 13 issue.
I don't for a second believe that this has anything to do w/ iOS 13 other than new App Store ToS directing users to their payment options page. I imagine it's the same WebObjects/Akamai caching bug we've seen in various forms over the years where the local CDN serves stale data https://t.co/ZMMcSMx0R0
— Steve Troughton-Smith (@stroughtonsmith) September 23, 2019