New iPhone Bug Gives Anyone Access To Your Photos

A security enthusiast who discovered a passcode bypass vulnerability in Apple's iOS 12 late last month has now dropped another passcode bypass bug that works on the latest iOS 12.0.1 that was released recently.

Jose Rodriguez, a Spanish amateur security researcher, discovered a bug in iOS 12 in late September that allows attackers with physical access to your iPhone to access your contacts and photos.

The bug was patched in iOS 12.0.1, but he now discovered a similar iPhone passcode bypass hack that works in 12.0.1 and is easier to execute than the bug Rodriguez discovered and reported two weeks ago.

The new hack allows anyone with physical access to your locked iPhone to access your photo album, select photos and send them to anyone using Apple Messages.

Since the new hack requires much less effort than the previous one, it leaves any iPhone user vulnerable to a skeptic or distrustful partner, curious college, friend or roommate who could access your iPhone's photo album and grab your private photos.

Here's How to Bypass iPhone Lock Screen to Access Photos

The new passcode bypass requires about 10 steps to get executed, as follows:

• Call the target iPhone from any other phone (if you don't know the target's phone number, you can ask Siri "who I am," or ask Siri to make a call to your phone number digit by digit).

• Don't answer the call by picking it up, instead of tap on "Messages" (by default in iOS comes on) and tap on "Custom" to reply via text message.

• Type any word in the text message box.

• Ask Siri to enable VoiceOver, a service meant for sight-impaired users.

• Tap on the camera icon.

• Invoke Siri with the iPhone's home button and at the same time double-tap the phone's screen (it does not work then repeat many times).

• When the screen comes black, swipe your finger on the screen up to the top left corner where VoiceOver will read aloud what you have selected. Keep swiping until VoiceOver reads "Photo Library."

• Double tap on the screen to select Photo Library. This will take you back to the message screen, but you'll see a blank space in the place of the keyboard. It is actually an invisible Photo Library.

• Now swipe your finger up to VoiceOver read aloud the characteristics of each photo.

• Double-tap on a photo will display it while adding the picture to the text box, which you can then send to any number.

The new passcode bypass method works on all current iPhone models, including iPhone X and XS devices, running the latest version of the Apple mobile operating system, i.e., iOS 12 to 12.0.1.

Until Apple comes up with a security patch, you can temporarily fix the issue by disabling Siri from the lockscreen.

Here's how to disable Siri: Go to the Settings ? Face ID & Passcode (Touch ID & Passcode on iPhones with Touch ID) and Disable Siri toggle under "Allow access when locked."

Of course, disabling Siri would cripple your iOS 12 experience, but would prevent attackers from abusing the feature and breaking into your iPhone.

Meanwhile, just wait for Apple to issue a software update to address the new iPhone passcode bypass bug as soon as possible. 

The Hacker News:

You Might Also Read:

Smartphone Password Vulnerability Discovered

« US Police Will Use Smart Patrolling
Almost Half Of Cyber-Attacks Are Directed At SMEs »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Directory of Cyber Security Suppliers

Directory of Cyber Security Suppliers

Our Supplier Directory lists 7,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

Infosecurity Europe, 3-5 June 2025, ExCel London

Infosecurity Europe, 3-5 June 2025, ExCel London

This year, Infosecurity Europe marks 30 years of bringing the global cybersecurity community together to further our joint mission of Building a Safer Cyber World.

ZenGRC

ZenGRC

ZenGRC (formerly Reciprocity) is a leader in the GRC SaaS landscape, offering robust and intuitive products designed to make compliance straightforward and efficient.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

CERT-IS

CERT-IS

CERT-IS is the national Computer Emergency Response Team for Iceland.

Thomas Miller Specialty

Thomas Miller Specialty

Thomas Miller Specialty is a commercial Managing General Agency providing specialty risks insurance including Cyber & e-crime insurance.

Medigate

Medigate

Medigate is a dedicated medical device security platform protecting all of the connected medical devices on health care provider networks.

DataProtect

DataProtect

DataProtect is a specialized information security company providing consultancy, information management, integration and training services.

CyberCareers.gov

CyberCareers.gov

CyberCareers.gov is a platform for Cybersecurity Job Seekers, Federal Hiring Managers and Supervisors, Current Federal Cybersecurity Employees, Students and Universities.

Capsule8

Capsule8

Capsule8 is the only company providing high-performance attack protection for Linux production environments.

Hazy

Hazy

Hazy specialises in financial services, helping some of the world’s top banks and insurance companies reduce compliance risk.

Nominet

Nominet

Nominet's cyber division offers network detection and response services to governments and enterprises worldwide.

Etisalat and (e&)

Etisalat and (e&)

Etisalat Group is one of the world’s leading telecom groups in emerging markets.

Profian

Profian

Profian’s hardware-based solutions maintain your data's confidentiality and integrity in use, providing true confidential computing to meet regulatory and audit requirements.

Coviant Software

Coviant Software

Coviant Software delivers secure managed file transfer (MFT) software that integrates smoothly and easily with business processes.

ImmuneBytes

ImmuneBytes

ImmuneBytes is a cutting-edge security startup that aims to provide a secure blockchain environment for a dependable and open Web3 ecosystem.

Aardwolf Security

Aardwolf Security

Aardwolf Security specialise in penetration testing to the highest standards set out by OWASP. We ensure complete client satisfaction and aftercare.

AI or Not

AI or Not

AI or Not - Leverage AI to combat misinformation and elevate the landscape of compliance solutions.

SixMap

SixMap

SixMap is a continuous threat exposure management platform that automatically provides comprehensive enterprise visibility, contextual threat intelligence, and a suite of remediation actions.

CHERI Alliance

CHERI Alliance

CHERI Alliance is an industry initiative spearheading the global adoption of the Capability Hardware Enhanced RISC Instructions (CHERI) security technology across the computing industry.