Serious security flaw in password manager and hidden/deleted photos.

Question

plixxer2023 Author

Level 1

9 points

Serious security flaw in password manager and hidden/deleted photos.

If someone gets hold of your lock screen passcode they can:

Change your iCloud password instantly in settings.
Access your passwords from settings and have all saved passwords.
Open hidden/recently deleted photos.

iCloud password can be changed in an instant if your passcode is compromised and someone has your phone, see it for yourself, open settings> click your name> password and security and first option is change iCloud password and it just needs your lock screen passcode. Solution (which fails due to things mentioned in 2): Set up Screen Time 4-digit password and use content & privacy restrictions> account changes> don't allow, plus additionally select passcode changes> don't allow.
Password manager has a major flaw that all the complex/difficult passwords it stores plus all the security measure which it takes to protect that internally is amazing but here again if two times the Faceid doesn't work you can simply bypass by Lock screen passcode which I believe just compromises everything the password manager and password keychain stands for. As said above you can sure use screen time to block someone from accessing account changes but then again if password manager is compromised by this simple technique, then he can have the iCloud password anyways and now he can just reset the screen time and that defeats the whole purpose of setting it up in the first place.
Hidden/recently deleted folder is also compromised as mentioned earlier that Faceid can just be bypassed by again Lock screen password. Again, screen time can be used here to just lock the photos app by putting App Limits and setting it to 1 min and sure someone won't be able to open your photos but again as mentioned in 2 this fails.

tldr: Wherever you use biometrics/Faceid after your phone is unlocked it is compromised due to the fact that it can just be bypassed by 6-digit Lock screen code.

I think that apple needs to use different verification method to unlock the password manager in settings like having a separate password where long strings can be used as passwords. This will solve the problem mentioned in 1 and 2 but for 3(hidden photos) Apple has to come up with something that is safe as well as convenient.

iPhone 14 Pro Max

Posted on Mar 19, 2023 12:08 PM

Reply

Answer 1

Mar 19, 2023 2:33 PM in response to plixxer2023

plixxer2023 wrote:

But I'm not even talking about some hacker doing this, this can be done by any person who just knows how to use ios and knows this flaw and trust me a lot of people don't even know that this flaw exist.

Hackers prefer acquiring users’ passwords and passcodes, or tricking the users into disabling or bypassing their own local security. Not the sophisticated or complex technical attacks, not “viruses”. Social engineering. Scams. Conning. Phishing and spear-phishing. Approaches which are far more time- and cost-effective. Not the sorts of technical attacks as can often be portrayed in much of media.

Hacking is a business, with managers and budgets and goals, and all the rest.

Again, the exposure of an Apple ID password or device passcode is bad. Catastrophe-level bad. Worse than you have reported here, not the least of which can involve complete and total loss of control of the device, complete loss of data access, loss of data, loss of device security, and worse. Bad.

There is a reason two-factor amd other details have been encouraged, and I expect recently-added hardware security token usage will be encouraged, too.

Here is what to do: If you think your Apple ID has been compromised - Apple Support

As for your posting here, again, send your feedback to the people that work for Apple: Product Feedback - Apple

Reply

Answer 2

plixxer2023 Author

Level 1

9 points

Mar 20, 2023 12:25 AM in response to plixxer2023

Solution: Notes app can be used to save passwords as it offers custom password in settings app while still being able to be authenticated by Faceid.

Here's what to do: Settings> Notes> Password> Use Custom Password

If I'm wrong than please correct me thank you

Reply

Answer 3

Mar 19, 2023 12:30 PM in response to plixxer2023

plixxer2023 wrote:

But Password manager shouldn't be able to be viewed by passcode.

Yes.

An exposed password or passcode is bad.

More bad than you know about too, based on this thread.

Send your feedback to the people that work for Apple: Product Feedback - Apple

Reply

Answer 4

Mar 19, 2023 12:11 PM in response to plixxer2023

If somebody gets your password or passcode, yes, you’re going to have a bad day.

Send your feedback to Apple: Product Feedback - Apple

Reply

Answer 5

plixxer2023 Author

Level 1

9 points

Mar 19, 2023 12:46 PM in response to MrHoffman

But I'm not even talking about some hacker doing this, this can be done by any person who just knows how to use ios and knows this flaw and trust me a lot of people don't even know that this flaw exist.

Reply

Answer 6

plixxer2023 Author

Level 1

9 points

Mar 19, 2023 12:13 PM in response to MrHoffman

But Password manager shouldn't be able to be viewed by passcode.

Reply

Answer 7

Mar 20, 2023 6:15 AM in response to plixxer2023

I use a passcode well past 12 characters, and with Face ID to reduce frequency of usage.

Reply

Serious security flaw in password manager and hidden/deleted photos.

Similar questions