Apple has long been considered a safer option for mobile users, the company designs its products with advanced security in mind and has been known to continually remove and ban apps from the app store that aren’t secure enough. However, with the release of iOS 12 and iOS 12.1 beta, Apple has come under scrutiny after it was discovered that a security flaw allows a user to bypass the passcode to gain access to the photos and contacts of the locked iPhone.

How does this exploit work?

There is a several step process to get into a locked iPhone running iOS12, and this isn’t something you’re likely to do by accident. Firstly, it’s important that FaceID is disabled. Even so, below is how it works step by step:

1. Use Siri to enable voice over.
2. Call the phone you want to get into so that the call screen appears
3. Click on the “Message” button on the call screen and select “custom”
4. Click on the + icon in the corner, and then send a message to the phone to get a notification, before double tapping the + icon. This should cause the screen to go white.
5. Swipe randomly on the screen until you here a “cancel” option
6. Double tap on the screen to bring up the message again and select numbers, this will bring up all of the contacts.

The process to get into photos also works through voiceover, and only allows you access to one photo at a time, that you can’t view before you select it as a contact photo. Getting into the phone would allow an attacker to steal contact information, or change contact information within the phone, as well as seeing restricted photos. Apple have not yet responded to the news, but it is expected that they will release a patch to fix the issue shortly.

[stackCommerce layout=”2″ count=”5″ sort=”best_sellers”][/stackCommerce]

The post IOS 12 allows Passcode Bypass appeared first on Hack Ware News.

Just realized that Apple’s webpage rendering engine, Webkit was used by all the browsers mentioned as mandated by Apple, meaning that the only difference between all these browsers were their respective little features and not much else. This may now bite Apple’s single-minded rear as a simple CSS script, properly weaponized can cause any Apple device to crash and burn, technically in the opposite order.

It has recently been discovered by a security researcher that Apple’s WebKit rendering engine has a vulnerability that can crash and restart any iOS and MacOS device. Fifteen lines of code is all it would take for any iOS device browsing the web to burn through its resources, crash and then reboot, according to researcher Sabri Haddouche from Wire.

Basically, nesting some web elements within the CSS backdrop filter will cause the device to burn through its resources faster than a lit match and no matter what your favorite browser is, you will encounter this problem just because your device is from Apple.

“The attack uses a weakness in the webkit-backdrop filter CSS property… By using nested divs with that property, we can quickly consume all graphic resources and crash or freeze the OS… All browsers on iOS are affected because the underlying rendering engine is WebKit… as per AppStore rules, it is forbidden to use your own rendering engine.”

–Sabri Haddouche, statement to BleepingComputer

It’s weird how we as consumers get duped into downloading a variety of browsers, saying they’re better when they technically do the same thing; unless you have browser extensions you can’t live without. Apple will still require browser makers to use their WebKit rendering engine to render web pages, which by the way, makes life for them easier.

All that’s left is to add their browser’s respective bells and whistles. The problem is that whatever vulnerability WebKit has, the issue becomes universal. There is no escape from the vulnerability just mentioned and any HTML/CSS bug a website might have as per the situation described in the opening. And since iOS and MacOS share the same rendering engine, Mac users will surely experience the same thing.

Windows, Linux and Android users thankfully have nothing to worry about but Apple has to patch this immediately in case this news makes it mainstream. The lackluster changes Apple made to their sequential iPhone X upgrade and audacious move in scrimping on dongles isn’t helping. This also applied to the newly-released iOS 12.

The good news is, the vulnerability by itself is actually harmless apart from the forced reboot, as no personal or financial information gets leaked outside to malicious parties. This issue becomes an old school case of mischief for pranksters who have no love for Apple and their antics.

These folks can simply spread out a text message that has a link to a webpage that contains this nesting script resulting in crashed iPhones, iPads and Macs (that use Safari). But this simple vulnerability can still be exploited by more malicious persons into doing something different and the potential is high as there are literally hundreds of millions of Apple devices actively used.

The bad news however is that this prank can be made persistent, as Haddouche was able to make a script that actually reloads the same page in case the user restarts the browser that launched it. If you used Safari to access the page, launching it again will freeze or reboot your device.

Thanks to Sabri, Apple has been made aware of this matter and as usual, it may take some time before a patch is issued and actually downloaded.

The post Short Script Can Make Your Apple Crash and Burn appeared first on Hack Ware News.