Vulnerability makes it possible to access photo gallery

Feb 14, 2017 05:34 GMT  ·  By

A security vulnerability in Windows 10 Mobile allows anyone to bypass the security code and access the photo gallery on a device running either production or preview builds shipped as part of the Windows Insider program.

While at the moment it looks like the latest Windows 10 Mobile Redstone 2 preview builds are not affected by the flaw, WindowsTeam reports that pretty much anyone can bypass the passcode of a Windows phone using just a few simple steps that eventually provide access to photos.

To exploit the bug, all you have to do is open the camera while the device is still locked using the camera shortcut on the lock screen, take a photo and then open it using the little thumbnail in the left lower corner. Once you open the pic, delete it using the trash bin icon on the screen and press the back button on your device.

The thumbnail should turn black, so tap it just like you’d want to preview a photo. Press the back button once again and then attempt to open the picture one more time using the same black thumbnail. Once you do that for the third time, you should be able to swipe through the entire photo gallery that’s stored on the phone.

Bug already reported to Microsoft

While it’s hard to believe that too many people can figure out this whole thing all by themselves, it’s worrying that potential attackers could get access to someone’s photo gallery so easily.

And even though this bug isn’t quite a major security flaw because it only exposes the stored photos and not other data, it’s still something that Microsoft needs to take care of as soon as possible.

On the good side, the bug has already been reported to Microsoft in the Feedback Hub, so the company will definitely look at it and release a patch.

Coincidentally, today it’s Patch Tuesday, but given the fact that all security fixes will go live in just a few hours, it’s hard to believe that the company can develop a patch for Windows 10 Mobile in time for today’s rollout if it wasn’t already aware of the bug.