Apple VoiceOver iOS vulnerability permits hacker access to user photos

The bug can be exploited to gain access to photos stored on a user's device.

A vulnerability has been discovered in the Apple iOS VoiceOver feature which can be exploited by attackers to gain access to a victim's photos.

As reported by Apple Insider, the bug, a lock screen bypass made possible via the VoiceOver screen reader, relies on an attacker having physical access to the target device.

Revealed by iOS hacker Jose Rodriguez and subsequently demonstrated in the YouTube video below, the attack chain begins with the attacker calling the victim's phone. This can be made possible by asking the Siri voice assistant to read out the phone number digit by digit, should the attacker not possess this information.

Once a call has been made, the attacker must then tap on "Answer by SMS," and then select the "personalize/custom" option.

CNET: Apple Watch Series 4: I hiked for 6 hours straight so you wouldn't have to

Any words can be input at this stage as the phrases are irrelevant, but it is key for the attacker to ask Siri to turn on VoiceOver at this point. The camera icon must then be selected, and following this, the attacker must double-tap on the screen while invoking Siri through side buttons at the same time.

It might take a few tries to trigger the bug, but when successful, this will turn the target device's screen black -- which is potentially the result of OS confusion or conflict.

The attacker can then use this bug to access elements of the user interface, such as the image library, which should otherwise be restricted without knowing the victim's passcode simply by swiping left.

Once access has been gained to the photo album, it is possible to double-tap photos to return to the call SMS reply box and add the content to the message. These images can then be stolen and sent to the attacker's personal mobile device.

TechRepublic: Photos: Apple iPhone models through the years

While the actual graphics of each image are obscured by the message box at this point, they can still be accessed and viewed after they have been added to the message.

The publication confirmed that the vulnerability is present in current iPhone models running the latest version of the mobile operating system, iOS 12.

See also: iOS 12's most annoying bug yet

In September, well-known Apple security expert Patrick Wardle revealed a zero-day vulnerability in Apple Mojave on the day of OS update's release which, if exploited, could result in the theft of user contacts information.

The disclosure followed Wardle's previous findings of a macOS bug which could lead to full system compromise.

ZDNet has reached out to Apple and will update if we hear back.

Previous and related coverage