A new exploit discovered in iOS 15 allows users to bypass the lock screen and access Notes by using VoiceOver and sharing options. The exploit was discovered by Jose Rodriguez and a proof of concept was posted on YouTube. This is also confirmed to be functional on iOS 14.8.
iOS 15 lock screen exploit gives access to Notes
The exploit is invoked by using Siri to turn on VoiceOver and using it to navigate to Notes in Control Center. This pops up a new note with no user information. However, Control Center is invoked again, followed up with Stopwatch, and re-opening Notes again. This time, access is gained to all previously saved Notes in the device, no matter which format they are in. These even include notes synced from other devices or accounts. The only notes safe from this exploit are password-protected notes.
Rodriguez also demonstrates in his video that the notes can be copied, and exported from the iPhone. This is done by getting a call from another device, declining it with a custom message response, and pasting the copied Notes content in the field. This works for both text messages and iMessages.
Of course, to use and execute this exploit, a user must have physical access to an iPhone, so there is no concern of this exploit being useable remotely. To get Notes information off the device, the phone number of the device must also be known so that it can be called from another phone. Restricting this exploit is also as simple as disabling Siri access from the lock screen.
Rodriguez told AppleInsider that he did not report the bug through Apple’s Bug Bounty Program and instead has shared it publically. His reason behind the move was that Apple pays very little and also takes a long time to respond and confirm the exploits, which can be done from iPhone settings.
Previously, Rodreguez had reported an exploit and was only paid $25,000 by Apple, as the company declared it a ‘partial access’ bug. Usually, exploits that give access to secure data can have payouts of up to $250,000.
Check out the video of the exploit below: