Less than two days after the release of iOS 12.1, a security researcher has found an exploit that allows anyone to access a phone’s contacts without requiring a passcode. The vulnerability is with Group FaceTime calls and works this way:
Select the FaceTime icon >> Select “Add Person” >> Select the plus symbol >> Scroll through the contacts and use 3D touch on a name to view all contact information that’s stored.
The researcher has explained the process in a video now uploaded to YouTube, posted below:
Is it a serious threat to iPhone users running iOS 12.1?
Not really. A threat actor would have to plan something like a phishing attack by using the contact information revealed using this method, but it’s still a significant risk if someone can randomly gain access to a user’s contacts.
As a mitigative measure, users can disable Siri so calls can’t be put through using voice, but it doesn’t solve the problem of the hacker being able to access the user’s contacts.
Apple may release a fix in the next iteration of iOS 12.X.X as a minor update, but the flaw has been found on earlier versions of iOS as well. That means a fix may not be in the works at the moment, and there’s been no comment from Apple regarding this iOS flaw.