The new iOS 7, the redesigned version of Apple’s (NASDAQ:AAPL) mobile operating system, is hardly two days old, but the latest firmware has already encountered a security bug, which allows anyone to use the new Control Center feature to bypass the passcode-protected lock screen on devices running iOS 7.
Once executed successfully, the bug gets around the passcode and gives anyone access to a number of apps containing personal data such as photos, email, text messages, and even Facebook and Twitter accounts.
The security hole was discovered by Jose Rodriguez from Spain’s Canary Islands, who shared with Forbes the technique to reproduce the bug. According to him, the vulnerability involves the Control Center, a new feature in iOS 7, which offers quick access to commonly-used apps and commands.
Here is how to replicate the bug to bypass the lock screen:
- Swipe up from the bottom of a locked iPhone or iPad’s lock screen to access the device’s Control Center.
- Now, open the Alarm Clock app.
- Hold down on the power button to bring up options to “Power Off” or “Cancel.”
- Now, tap “Cancel” and quickly double click the Home button to enter the iOS 7 multi-tasking screen, which provides access to email, photos and more.
Here is a video, made by Rodriguez, which shows the entire procedure to reproduce the vulnerability:
While the iOS 7's bug can temporarily be avoided by disabling the Control Center by toggling it off in the Settings app, Apple has reportedly confirmed that the company is aware of the issue and will fix the bug in a future software update.
It is worth mentioning here that the bug in question gives access only to apps that were kept open before locking the device. And, according to Apple Insider, the vulnerability only impacts a limited number of apps and other services. For example, Safari cannot be launched from the multitasking view.
Apple said in a post on its security mailing list that the iOS 7 update brings a slew of bug fixes for 80 security vulnerabilities on the platform. However, the company’s security experts clearly missed a crucial one.