VoiceOver bug exposes iPhone Photos to Hackers, let them send to other devices

Amateur iOS hacker Jose Rodriguez on Friday revealed another obscure, yet effective, lock screen bypass that leans on an unpatched bug in VoiceOver to gain unauthorized access to photos on a target device.

A video released by Rodriguez on his YouTube channel, shows the exploit which would hack the new iOS patch issue exporting both their personal device and a target iPhone handy at the time of the attack.

As Rodriguez explained, the target iPhone 1st receives a phone call from an outside number, which triggers a standard iOS call dialogue.

If the attacker does not know the target iPhone’s number, they can acquire caller ID information by invoking Siri and asking the assistant to call their personal phone digit-by-digit.

In his proof-of-concept video, Rodriguez taps on the “Message” option on the iOS call screen and selects “Custom” to display the Messages user interface. After entering a few random letters in the text box, he once again invokes Siri to activate VoiceOver.

Returning to Messages, Rodriguez clicks on the camera icon and, while invoking Siri with iPhone’s side button, double clicks the screen to trigger what appears to be a system-level conflict.

While this particular step must be performed with a certain level of precision, an attacker can repeat the process multiple times until the desired effect is achieved.

A black screen is displayed when the bug condition is met. As Rodriguez demonstrates, however, VoiceOver’s text selection tool is able to access “hidden” UI options through typical navigation gestures.

Swiping left on the blank screen takes Rodriguez to “Photo Library” which, when selected by double tapping, returns him to the Messages app.

Apple might soon, remove the bug in their upcoming update

The app drawer below the text input box is blank but leaves the app card collapse button active. Tapping on said element — a small handlebar — and swiping right grants VoiceOver unseen access to a target device’s photos, details of which are read aloud by the system.

Swiping through the photo library, which is seemingly obscured by the Messages UI, and double tapping on a given photo inserts the image into the Messages text box.

Multiple photos can be inserted, viewed and sent to an attacker’s device in this manner.

Users confirmed Rodriguez’s findings using current model iPhones, including iPhone X and XS devices, running the latest iOS 12.0.1.

Word of the bypass arrives two weeks after Rodriguez discovered a pair of similar VoiceOver vulnerabilities that grant unauthorized access to user contacts and photos.

A small bug may leak a lot of personal information

Unlike the previously uncovered methods, today’s technique is far less involved and allows would-be attackers to offload photos onto another device with relative ease.

Concerned users can minimize exposure to the apparent bugs by disabling Siri lock screen access in Settings > Face ID & Passcode or Settings > Touch ID & Passcode under the “Allow access when locked” heading.

Recent Articles

Vidyou on Demand Appsumo deal helps to create high-quality video ads

Video ads bring your product to life, effectively driving sales and demand (the things those commercials have made me do for a Klondike Bar...). But...

Appsumo Deals: June 2020 SAAS Lifetime Software Deals

Appsumo New Deals List of June 2020 Appsumo deals and discount coupon codes. Crello Appsumo deal: Crello Pro is an easy-to-use online design editor with thousands of...

WPRest Appsumo lifetime deal ending in 72 hours

Imagine if you could remove all the annoying plugins from your WordPress site, or even, *gasp*, reset the whole thing with a couple of...

Compound Governance Token (COMP) Listed on Poloniex

Poloniex listing Compound Governance Token from 17th June 2020. Here is the official announcement from the exchange. "We’re excited to welcome Compound Governance Token...

LeadKlozer Webinar: Are your Facebook Marketing Dollars Going Down the Drain?

Did you know that according to Forbes, "More than 80% of small to medium sized enterprises reported feeling stressed and overwhelmed and panicking everyday about...

Related Stories

Leave A Reply

Please enter your comment!
Please enter your name here

Stay on op - Ge the daily news in your inbox