A week after Apple has released its much-awaited iOS 13 updates for its devices, the company issued yet another warning that there is a bug in the new operating system that could allow third-party keyboard applications to leak user data without their consent inadvertently.
Apple released today a support announcement saying that they have discovered a bug in iOS 13 and iPadOS that allows keyboard extensions, such as Microsoft-owned SwiftKey or Google’s Gboard, being granted privileged access to user data without the user confirming and agreeing to grant the said applications full access.
Third-party keyboard extensions, as Apple explained, can be “designed to run entirely standalone,” meaning, they can run even without special access to the device’s network. However, these apps can also request “full access” to provide additional features through network access. According to the tech giant, this process of requesting and granting of access can be exploited and could lead third-party keyboard extensions to leak some user data.
The affected devices in the said bug include iPhone, iPad and iPod touch and only those that are running on the newly released iOS 13. Furthermore, Apple also stresses that the issue does not affect built-in keyboards in the aforementioned devices.
“This issue does not impact Apple’s built-in keyboards. It also doesn’t impact third-party keyboards that don’t make use of full access,” the company said in the support announcement.
The tech giant said that a fix would soon be available in the next rounds of updates for the new operating system; however, they did not clarify what exact date they will release the update.
“An upcoming software update will fix an issue that impacts third-party keyboard apps. This issue applies only if you’ve installed third-party keyboards on your iPhone, iPad, or iPod touch,” they added.
Apple’s iOS 13 is the newest generation of the operating system that is used by smartphones and tablets manufactured by the company. Earlier this week, the smartphone manufacturer officially launched the new update which would work for iPhones starting from iPhone 6s and later.
iOS 13 is riddled with bugs
The release of the new iOS has had some issues, and the company has decided to push the iOS 13.1 yesterday in order to fix a bug that would expose contact information saved in an iPhone without requiring a password or any form of biometric identification. The first round of update for iOS 13, which was scheduled to be released on September 30, was launched a week earlier in order to address the vulnerability.
Moreover, the bugs in the new operating system do not end there. iOS 13.1 also addresses the major issue regarding its location permissions. According to recent reports, when a user to decided to select never to share location details for an app, the vulnerability will instead change the response to “Ask next time.”
iOS 13 vulnerabilities have already been alerted to Apple since July
Some of these vulnerabilities have already been alerted to Apple months before they released the iOS 13. However, the smartphone maker only decided to fix it after some of the users have already been exposed to the potential risks associated with the aforementioned security vulnerabilities.
Jose Rodriguez, a cybersecurity enthusiast, living in the Canary Islands, has since been contacting Apple regarding his discovery of a potential “passcode bypass,” and asked the company if his discovery is qualified to earn from the company’s bug bounty program.
Rodriguez went public after he realized that Apple has no intention of fixing the bug before they release the update for iOS 13 amidst the fact that Apple has followed through his discovery and his assistance in determining the problem.
As of writing, it is still unclear if the change in the timeline of the update release was prompted by the discovery made by Rodriguez or whether he was able to earn the bounty he deserves for discovering the bug.