iOS 13 Bug Lets Anyone Access Passwords Stored on an iPhone
A bug in the latest betas of iOS 13 allow anyone to access the passwords stored on an iPhone without providing the passcode and by skipping Face ID/Touch ID verification.
First reported on reddit and presented in a demo on YouTube by iDeviceHelp (video embedded below), the issue exposes information stored in the “Website & App Passwords” section in Settings.
Bypassing the biometric authentication is pretty simple, as it only comes down to a series of taps on the “Website & App Passwords” menu in Settings > Passwords & Accounts. Whenever the Face ID prompt shows up, just tap cancel and continue tapping the same menu item.
At one point, the authentication check is ignored and the iPhone reveals the passwords stored in the iCloud Keychain, even if the biometric verification itself wasn’t completed.