U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|
Advertisement

Ad Placeholder

Full Width × 90

Hacking

Access Private Photos and Contacts Without a Passcode on iOS 9 devices

A hacker has found a way to access images and contacts stored on Apple iOS 9 devices even if they are protected with a passcode or Touch ID. A few hours ago I have posted the news on the decision of the Security firm Zerodium to pay a 1 Million Dollars prize for zero-day exploits and jailbreak […]

Access Private Photos and Contacts Without a Passcode on iOS 9 devices

A hacker has found a way to access images and contacts stored on Apple iOS 9 devices even if they are protected with a passcode or Touch ID.

A few hours ago I have posted the news on the decision of the Security firm Zerodium to pay a 1 Million Dollars prize for zero-day exploits and jailbreak for the newborn iOS 9.

Now I discover that it is quite easy to access user’s personal photos and contact list stored in the iOs devices running iOS 9. According to colleagues at THEHACKERNEWS, a hacker has found a method to access private data even if the mobile device is protected with a passcode or Touch ID.

The hacker explained that using the Apple’s personal assistant Siri it is possible to access data on the mobile device running iOS 9 less than 30 seconds.

ios 9

Below the detailed instructions to bypass the passcode:

  • Take the Apple device running the iOS 9  and enter an incorrect passcode four times.
  • Depending on the length of your passcode, for the fifth attempt enter 3 or 5 digits and for the last one, press and hold the Home button to run Siri immediately followed by the 4th digit.
  • Once Siri appears, ask the assistant for the time.
  • Tap the Clock icon to open the Clock app, and add a new Clock, then write anything in the Choose a City field.
  • Now double tap on the word you wrote to invoke the copy & paste menu, Select All and then click on “Share”.
  • Tap the ‘Message’ icon in the Share Sheet, and again type something random, hit Return and double tap on the contact name on the top.
  • Select “Create New Contact,” and Tap on “Add Photo” and then on “Choose Photo”.
  • At this point, you’ll now be able to access the entire photo library on the iOS device, which is still locked with a passcode. Now browse and view any photo from the Photo album individually.

Below the video proof of concept for the trick.

Despite such kind of hack doesn’t match the “Eligibility / Conditions” announced by Zerodium, it is interesting to note that is quite easy to bypass the basic security measures implemented by the IT giant for its new born iOS 9

Waiting for a patch, iOS users can disable Siri on the lock screen by modifying the settings of the device from

Settings > Touch ID & Passcode

Once disabled, users will be anyway able to continue using Siri after unlocked their iOS 9 based device.

Edited by Pierluigi Paganini

(Security Affairs – iOS 9, hacking)