Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

MacRumors

macrumors bot
Original poster
Apr 12, 2001
65,242
33,523



There appears to be a lock screen vulnerability in iOS 7 that allows access to a device's photos, email, and social networking accounts. According to Jose Rodriguez, who provided a video of the bug to Forbes, a simple set of gestures gives unwarranted access to a device running iOS 7.

The exploit can be initiated by swiping upwards on the device's lock screen to access the Control Center and open the Clock app. Once the clock app is open, holding the phone's sleep button will cause the "Slide to Power Off" option to appear. Tapping on cancel at this juncture and then double clicking on the home button will open the phone's multitasking screen, providing access to the camera and the photos on the device. The key to the trick, however, is to access the camera app from the lock screen first, causing it to appear in the recently used apps list.

Because the photos from the camera app can be shared via Flickr, Twitter, Facebook, and email, an intruder can also gain access to those apps using the sharing tools.

I tested the technique on an iPhone 5 running iOS 7, and it worked. Rodriguez's video shows it working on an iPad, too. It's not yet clear if the same exploit can bypass the lockscreen of an iPhone 5s or 5c, but Rodriguez tells me he believes it will. I've reached out to Apple for comment and I'll update this post if I hear from the company.
Apple has been plagued by lock screen vulnerabilities multiple times over the course of the year, with a bug appearing in iOS 6.1 that allowed lock screen access to the phone when the emergency call function was manipulated.

The current iOS 7 vulnerability can be avoided by preventing the Control Center from appearing on the lock screen. The setting can be turned on by opening the Settings app, selecting "Access on Lock Screen" and toggling it off.

Update: Apple has told AllThingsD that it is working on a fix.
"Apple takes user security very seriously," Apple spokeswoman Trudy Muller told AllThingsD. "We are aware of this issue, and will deliver a fix in a future software update."

Article Link: iOS 7 Lock Screen Vulnerability Gives Access to Photos, Email
 

stephen1108

macrumors 65816
Sep 30, 2007
1,104
357
I've always wondered how people stumble upon these vulnerabilities, then turn around and are even able to recreate them.
 

chekk

macrumors newbie
Jun 17, 2011
23
11
Working here on my 4S

Unsettling to be able to see all my photos and contacts on a locked phone without entering my passcode.
 

RRmalvado

macrumors 6502
May 27, 2010
352
25
Pick one that the Applelogists will go for:

- Why are people keeping their Photos in the multitasking bar? :confused:
- I've never had that problem!!! This guy is just looking to create trouble for Apple.
- Go get an Android if you don't like the way the lock screen behaves.

In reality though, I'm sure this'll be fixed in 7.0.1 or 7.0.2.
 

gaximus

macrumors 68020
Oct 11, 2011
2,304
4,658
I wish since I don't have a passcode, that when I access the camera from the lock screen I could have the share option available when looking at recently taken pictures.
 

notjustjay

macrumors 603
Sep 19, 2003
6,056
167
Canada, eh?
I've always wondered how people stumble upon these vulnerabilities, then turn around and are even able to recreate them.

Often just by playing around. Sometimes playing around leads to one thing which causes you to realize "Wait, what if I do this too?" and, whoops, you've stumbled on a path that nobody ever expected.

Then you realize you're in the "bad" state (I can see photos and I'm not supposed to be able to!) and the next step is to try to recreate the actions that got you there, until you distill it down to exactly what the problem is.

Then you file a problem report to the software guys and they can fix it...

Locking down software is kind of like locking down a physical room. It's easy to set up the obvious stuff -- put locks on the doors and windows -- but then you have to start thinking about the more far-fetched scenarios. What if you gained access to the boiler room, then snuck up through the ceiling tile? What if someone manages to find the spare key to the lock that you left in the bedroom? Thorough testing, and/or reports from accidental discoveries like this, are what's needed to plug up all the holes.

Do people have nothing better to do than to try and find ways to break iOS?

No software is perfect. Don't you want them to find the flaws so they can be fixed quickly?
 
Last edited:

RedRaven571

macrumors 65816
Mar 13, 2009
1,128
114
Pennsylvania
I've always wondered how people stumble upon these vulnerabilities, then turn around and are even able to recreate them.

Me too! Really, you swipe up to show the control center, then you turn your car on and off 6 times in succession, while jumping up and down on your left foot, while eating an apple (a Granny Smith, specifically) and humming the theme to 'Gilligan's Island" and you will be able to see internet photos of your own privates......

WHO has the time to do this stuff?
 

Thierry ba

macrumors 6502a
Apr 10, 2012
601
86
Sarajevo, Bosnia
7.0.1 is out.

iOS-7.0.11.png
 

Springman

macrumors member
Aug 7, 2013
66
47
Easy fix - just turn off access to the control center from the lock screen.

I too am amazed at how people figure this stuff out....ok, stand on one leg, wear an eye patch and bark like a dog. If you do those things then the software will hiccup.

:confused:
 

velocityg4

macrumors 604
Dec 19, 2004
7,330
4,721
Georgia
Apple really needs to implement a full lockdown lockscreen option. Where all you can do is swipe to unlock. No playing music, emergency dialing, answering calls, silencing alarm, &c. Just complete and total lockdown for people with sensitive information.
 

RainCityMacFan

macrumors 6502a
Jun 10, 2007
929
4
NC
The first thing I turned off when I installed iOS 7.

The control center is a bit too much power for someone to have over my phone if they don't know my passcode.
 

TWSS37

macrumors 65816
Feb 4, 2011
1,107
232
One moment you're getting praised for security, the next you're getting ripped for exploits :rolleyes:
 

volcom883

macrumors regular
Sep 29, 2008
186
0
istanbul
Listen to this one then!

Even if you have the password lock on when you connect the iphone to any mac and open Image Capture app you can see and transfer all the videos&photos... (i bet you can also do it on pc too)

i thought this was gonna be fixed with ios 7 but it hasnt.

basically because of this i never give my phone to charge on a laptop at hotels and restaurants!!!

the funniest part: without entering the passcode if you take photos you can only see the ones you recently took... (i guess they wanted us to protect our photos here. thanks apple)
 
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.