The security researcher Jose Rodriguez (@VBarraquito) discovered a new lock screen vulnerability for iOS 15 (& iOS 14.8) that has yet to be addressed by Apple. A threat actor with physical access to a vulnerable device can access Notes via Siri/Voice Over.
Rodriguez explained that in real incidents, unattended or stolen devices with a lock screen bypass vulnerability are exposed to attacks that could leverage a lock screen vulnerability to access sensitive information.
This specific type of vulnerability represents a serious threat to individuals and organizations, for this reason, the expert suggests including their research when conducting a mobile pen-testing assessment.
The expert disclosed details about the lock screen bypass vulnerability after Apple downplayed similar flaws, tracked as CVE-2021-1835 and CVE-2021-30699, reported by the researcher earlier this year.
The flaws allowed an attacker to access instant messaging apps like WhatsApp or Telegram even while the mobile device was locked.
Rodriguez explained that Apple partially fixed the issue and did not involve him in the test of the released patch.
Then the expert proposed a variant of the same bypass issue that leverages Apple Siri and VoiceOver services to access the Notes app.
I have contacted Rodriguez for a comment and he told me that was disappointed with the way Apple manages his Bug Bounty Program.
“I hope Apple reacts to the anger of the researchers and takes actions to improve Apple Bug Bounty Program with greater agility in responses and payouts, and no lowballing security bug reports.” Rodriguez told me. “I hope Apple reacts to the anger of the researchers and takes actions to improve Apple Bug Bounty Program with greater agility in responses and payouts, and no lowballing the security bug reports.”
The expert also published a video PoC for the latest screen bypass vulnerability:
Let me suggest reading a post published by the expert that includes a long list of similar vulnerabilities:
Over the past years, Rodriguez disclosed several similar flaws, sometimes a few days before the release of new iOS versions.
(SecurityAffairs – hacking, iOS)