While iOS 12 is arguably the best iteration of Apple's mobile operating system yet, one major fault so far is security. On Sept. 26, Videosdebarraquito discovered a passcode bypass that gave access to contacts and photos from the lock screen. Apple has since patched that security flaw, but Videosdebarraquito has discovered a new one that affects all iPhones running iOS 12.1 and 12.1.1 beta.
On Oct. 30, Jose Rodriguez's infamous Videosdebarraquito channel on YouTube showed off the initial bypass vulnerability with a demonstration on the new iOS 12.1 and iOS 12.1.1, this time taking advantage of Apple's new Group FaceTime feature.
- Don't Miss: How to Use FaceTime's Group Chat on Your iPhone
In the video below, we see that with just a few normal inputs, users can access the contacts of a locked iPhone if that iPhone is engaged in a phone call — all by taking advantage of Group FaceTime. Unlike the bypass we showed last month, photos can't be accessed, at least, not in the method shown here.
You can replicate the bypass yourself to see almost all of someone's contacts and their phone numbers and emails. All you need is the phone number of an iPhone running iOS 12.1 or 12.1.1. Just follow the steps below to access that iPhone's entire contact list, with all attached details:
- Call the locked iPhone. The remaining instructions below are to be done on the locked iPhone.
- Pick up the call.
- Tap "FaceTime" on the call menu screen.
- Immediately, tap the ellipsis (•••) in the bottom right (on iOS 12.1) or swipe up on the panel at the bottom (iOS 12.1.1).
- Tap "Add Person."
- Tap the (+) icon in the top right.
- You now have access to all contacts on the iPhone, including any phone numbers, email accounts, addresses, and other contact information that may be stored.
If you want to try out this bypass for yourself, do it fast. We don't expect this bypass to be available for long. While it may seem like something Apple intentionally included in iOS 12.1 and 12.1.1, they likely meant to lock it behind Face ID, Touch ID, or passcode security.