{"id":15882,"date":"2019-07-23T09:22:48","date_gmt":"2019-07-23T17:22:48","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2019\/07\/23\/news-9627\/"},"modified":"2019-07-23T09:22:48","modified_gmt":"2019-07-23T17:22:48","slug":"news-9627","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2019\/07\/23\/news-9627\/","title":{"rendered":"Big password hole in iOS 13 beta spotted by testers"},"content":{"rendered":"<p><img decoding=\"async\" src=\"https:\/\/sophosnews.files.wordpress.com\/2019\/07\/shutterstock_728725078-compressor.jpg\"\/><\/p>\n<p><strong>Credit to Author: John E Dunn| Date: Tue, 23 Jul 2019 10:18:52 +0000<\/strong><\/p>\n<div class=\"entry-content\">\n<div class=\"entry-prefix\">\n<div class=\"entry-author\"> \t\t\t\t \t \t\t\t\t\t<span class=\"by\">by<\/span> \t\t\t<a href=\"https:\/\/nakedsecurity.sophos.com\/author\/john-e-dunn\/\" title=\"Posts by John E Dunn\" class=\"author url fn\" rel=\"author\">John E Dunn<\/a>\t\t \t \t\t\t\t<\/div>\n<div class=\"entry-sharing\">\n<ul class=\"block social share\">\n<li class=\"facebook\"><a href=\"https:\/\/www.facebook.com\/share.php?u=https%3A%2F%2Fnakedsecurity.sophos.com%2F2019%2F07%2F23%2Fbig-password-hole-in-ios-13-beta-spotted-by-testers%2F&#038;title=Big+password+hole+in+iOS+13+beta+spotted+by+testers\" data-title=\"Big password hole in iOS 13 beta spotted by testers\" title=\"Share on Facebook\"><svg style=\"height: 20px;\" viewbox=\"0 0 100 100\" class=\"icon facebook\"><use xlink:href=\"#facebook\"><\/use><\/svg><\/a><\/li>\n<li class=\"twitter\"><a href=\"https:\/\/twitter.com\/home?status=Big+password+hole+in+iOS+13+beta+spotted+by+testers+https%3A%2F%2Fwp.me%2Fp120rT-1T84\" data-title=\"Big password hole in iOS 13 beta spotted by testers\" title=\"Share on Twitter\"><svg style=\"height: 20px;\" viewbox=\"0 0 100 100\" class=\"icon twitter\"><use xlink:href=\"#twitter\"><\/use><\/svg><\/a><\/li>\n<li class=\"linkedin\"><a href=\"https:\/\/www.linkedin.com\/shareArticle?mini=true&#038;url=https%3A%2F%2Fwp.me%2Fp120rT-1T84&#038;title=Big+password+hole+in+iOS+13+beta+spotted+by+testers\" data-title=\"Big password hole in iOS 13 beta spotted by testers\" title=\"Share on LinkedIn\"><svg style=\"height: 20px;\"  viewbox=\"0 0 100 100\" class=\"icon linkedin\"><use xlink:href=\"#linkedin\"><\/use><\/svg><\/a><\/li>\n<li class=\"reddit\"><a href=\"https:\/\/reddit.com\/submit\/?url=https%3A%2F%2Fwp.me%2Fp120rT-1T84&#038;title=Big+password+hole+in+iOS+13+beta+spotted+by+testers\" title=\"Share on Reddit\"><svg style=\"height: 20px;\"  viewbox=\"0 0 100 100\" class=\"icon reddit\"><use xlink:href=\"#reddit\"><\/use><\/svg><\/a><\/li>\n<\/ul><\/div>\n<\/p><\/div>\n<p>A security clanger has been spotted in the current beta version of <a href=\"https:\/\/www.apple.com\/ios\/ios-13-preview\/\" rel=\"nofollow\">iOS 13<\/a> which allows anyone to access a user\u2019s stored web and app passwords without having to authenticate.<\/p>\n<p>Affecting iOS 13 public beta 2, developer beta 3, and iPadOS 13 betas, the issue appears to have <a href=\"https:\/\/www.reddit.com\/r\/iOSBeta\/comments\/cbfgtb\/bug_very_serious_bug_that_allows_anyone_to_view\/\" rel=\"nofollow\">surfaced first on Reddit<\/a>, complete with a brief demo video later <a href=\"https:\/\/www.youtube.com\/watch?v=S_rlN2IIbyM&amp;feature=youtu.be\" rel=\"nofollow\">expanded with commentary<\/a> on YouTube channel iDeviceHelp.<\/p>\n<p>The issue can be reproduced by repeatedly tapping on <strong>Website &amp; App Passwords<\/strong> menu (<strong>Settings<\/strong> &gt; <strong>Password &amp; Accounts<\/strong>) which stores credentials used by the web autofill function.<\/p>\n<p>Normally, tapping on this menu should prompt iOS to ask for Face ID or Touch ID authentication, which indeed it does if the user only taps a few times.<\/p>\n<p>However, tapping 20 or more times in quick succession, while cancelling the authentication prompts at the same time, eventually gives access to the passwords. Once in, the passwords can be changed and shared with other devices.<\/p>\n<aside id=\"sophos_ad-3\" class=\"widget sophos-inline-ad sophos_widget_ad\">\n<style><\/style>\n<div class=\"sophos_widget_ad\"><a href=\"https:\/\/secure2.sophos.com\/en-us\/security-news-trends\/whitepapers\/gated-wp\/sophos-best-practices-for-securing-the-cloud.aspx?cmp=34494\" class=\"s-ad-secure-cloud__link-wrapper\">    <\/p>\n<div class=\"s-ad-secure-cloud\">\n<div class=\"s-ad-secure-cloud__sophos-logo\">        <svg style=\"height:11px;\" viewbox=\"0 0 132 24\" class=\"block icon sophos\"><use xlink:href=\"#sophos\"><\/use><\/svg>      <\/div>\n<div class=\"s-ad-secure-cloud__title\">        How to secure workloads in AWS, Azure and GCP      <\/div>\n<div class=\"s-ad-secure-cloud__action\">        <span class=\"s-button s-button--small s-button--green\">          Download&nbsp;Guide        <\/span>      <\/div>\n<\/p><\/div>\n<p>  <\/a><\/div>\n<\/aside>\n<h2>Nick of time<\/h2>\n<p>The barriers to an attack are still quite high &#8211; an attacker would need physical access to an unlocked iPhone or iPad &#8211; but even by beta standards it\u2019s still an unfortunate flaw to uncover.<\/p>\n<p>One could argue that this is what public betas are for &#8211; finding flaws, both minor and serious. It\u2019s also easy to imagine that a flaw that is so hard to trigger could easily have been missed and ended up in the final version of iOS 13 due for release to the public in September.<\/p>\n<p>The next public betas of iOS 13 are said to be imminent, although it\u2019s not yet clear whether Apple will have fixed the issue by then. If you\u2019re one of the enthusiasts running public betas, this weakness will be one to check for when it appears.<\/p>\n<p>On the plus side, when it does finally arrive, iOS 13 will feature a number of security tweaks, including telling users which apps <a href=\"https:\/\/nakedsecurity.sophos.com\/2019\/06\/11\/ios-13-will-map-the-apps-that-are-tracking-you\/\">are tracking them<\/a>.<\/p>\n<\/p><\/div>\n<p><a href=\"http:\/\/feedproxy.google.com\/~r\/nakedsecurity\/~3\/aZwDCfTPAro\/\" target=\"bwo\" >http:\/\/feeds.feedburner.com\/NakedSecurity<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><img decoding=\"async\" src=\"https:\/\/sophosnews.files.wordpress.com\/2019\/07\/shutterstock_728725078-compressor.jpg\"\/><\/p>\n<p><strong>Credit to Author: John E Dunn| Date: Tue, 23 Jul 2019 10:18:52 +0000<\/strong><\/p>\n<p>A security clanger has been spotted in the current beta version of iOS 13 which allows anyone to access a user\u2019s stored web and app passwords without having to authenticate.&lt;img src=&#8221;http:\/\/feeds.feedburner.com\/~r\/nakedsecurity\/~4\/aZwDCfTPAro&#8221; height=&#8221;1&#8243; width=&#8221;1&#8243; alt=&#8221;&#8221;\/&gt;<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10378,10377],"tags":[2211,14737,10480,22024,11721,8826,10554,11271,12154,10602,16165,10467],"class_list":["post-15882","post","type-post","status-publish","format-standard","hentry","category-security","category-sophos","tag-apple","tag-face-id","tag-ios","tag-ios-13","tag-ipad","tag-iphone","tag-mobile","tag-operating-systems","tag-password-security","tag-passwords","tag-security-threats","tag-vulnerability"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/15882","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=15882"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/15882\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=15882"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=15882"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=15882"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}