14 DAY TRIAL // A bug in the latest betas of iOS 13 allow anyone to access the passwords stored on an iPhone without providing the passcode and by skipping Face ID/Touch ID verification.
First reported on reddit and presented in a demo on YouTube by iDeviceHelp (video embedded below), the issue exposes information stored in the “Website & App Passwords” section in Settings.
Bypassing the biometric authentication is pretty simple, as it only comes down to a series of taps on the “Website & App Passwords” menu in Settings > Passwords & Accounts. Whenever the Face ID prompt shows up, just tap cancel and continue tapping the same menu item.
At one point, the authentication check is ignored and the iPhone reveals the passwords stored in the iCloud Keychain, even if the biometric verification itself wasn’t completed.
While the video shows the bug in action on an iPhone X with Face ID, I could reproduce the same issue on an iPhone SE as well. Pressing cancel to dismiss the Touch ID verification isn’t even required on the iPhone SE.
The bug exists in iOS 13 developer beta 3, and I can confirm that it’s there in the second beta as well.
Bug only affecting beta build
Needless to say, Apple hasn’t provided any statement on this bug, but it doesn’t even have to, as it only affects beta builds that it releases to testers. Most likely, the Cupertino-based company will resolve it in an upcoming beta, so it won’t be there in the stable iOS 13 stable version due in September.
In the meantime, it’s important to keep in mind that beta builds do come with such issues, as these releases are being used by Apple to test the reliability and stability of the OS and features that are supposed to be part of the final version.
