iPhone Security Hole Lets Anyone See Your Contacts

iOS is renowned for having good security, but that doesn't mean the system is flawless. A novel, albeit not devastating, passcode bypass could let anyone with physical access to your iPhone see your entire contact list and their associated photos.

Credit: Tom's Guide

(Image credit: Tom's Guide)

By taking advantage of a flaw in the way Siri, the contact list and the esoteric VoiceOver mode interact, a dedicated attacker could learn the names and contact information for every friend, coworker and loved one in your iPhone, plus whatever images you use to represent them.

The good news is that there's a very easy way to prevent anyone from taking advantage of this bypass: Don't lend your phone to anyone, unless you trust him or her implicitly. (And, obviously, don't let your phone get stolen.) The flaw takes a good minute or two to exploit and requires a user to have your phone in hand in a quiet environment.

MORE: iPhone XS Max and iPhone XS Review

The information comes from Spanish hacker Jose Rodriguez, who runs videosdebarraquito, an iPhone enthusiast channel on YouTube and Instagram. In a video entitled "Passcode Bypass iOS 12 (1-Call)," Rodriguez demonstrates how to access a user's contact list, even when the phone is locked down tight behind a passcode.

Security news website Threatpost checked Rodriguez's work and discovered that the flaw works on iOS 12 and the iOS 12 beta on an iPhone XS. It's likely that this method can compromise all up-to-date iPhones, including the brand-new iPhone XS Max and XR as well as the XS. (Rodriguez himself uses an older Touch ID-enabled model in his demonstration video.)

But if you're curious how it works, Rodriguez discovered a rather clever exploit. Even when an iPhone is locked, a user can invoke Siri by tapping twice on the home button. Siri won't let you access sensitive information this way, but one thing you can do is ask Siri to turn on the phone's VoiceOver mode.

VoiceOver helps vision-impaired users by announcing whatever's currently highlighted on the screen: "Text message notification," for example, if someone sends you a text and you have notifications enabled at the top of your screen.

Using VoiceOver mode, Rodriguez was able to answer to an incoming phone call by using Message. However, VoiceOver mode does something funny. If you choose to "personalize" your messaging options, you can scroll through a blank screen, where your contact names and numbers would normally be.

This doesn't present a risk in and of itself, but users can then scroll to the top of the screen and select the text field to write in a contact's name. This is where the bypass comes in: If you write a letter or a number, the iPhone will show you all contacts with that letter or number included in them. From there, it's a matter of selecting a contact, tapping "Add information to existing contact," and being able to access a user's entire contact list.

More: Secure your phone with the very best mobile VPN apps

None of this is simple. To pull this off, you'd first need to tape over or disable the Face ID camera on an iPhone X, XS, XR or XS Max, or just use a Touch ID iPhone. You'd also need another phone to call or FaceTime the targeted iPhone at exactly the right moment in your passcode-bypass process.

And what a long process it is: The GadgetHacks website enumerated 37 separate steps in Rodriguez's hack, although GadgetHacks confirmed that it does indeed work.

IN any case, a successful bypasser would have access to every name, phone number and email address in your contact list. In all likelihood, this includes professional contacts, close friends and loved ones, all of whom could make easy scam targets.

What's also troubling is that if you have a photo attached to a contact, the attacker will be able to see that too. This isn't as damning as being able to access your entire photo library, but the attacker will know what many of your friends and family look like. If you have a lewd photo saved for a contact, of course, an attacker can see that as well.

It's worth pointing out that while this security hole is troubling, it's hardly catastrophic. There is no evidence that anyone could use this method to gain full access to your phone, nor is there any indication that anyone's tried to exploit it in the wild.

Tom's Guide has reached to Apple for comment. Whether or not we get a reply, the flaw will probably be addressed soon. Until then, keep your phone where you can see it.

TOPICS
Marshall Honorof

Marshall Honorof is a senior editor for Tom's Guide, overseeing the site's coverage of gaming hardware and software. He comes from a science writing background, having studied paleomammalogy, biological anthropology, and the history of science and technology. After hours, you can find him practicing taekwondo or doing deep dives on classic sci-fi. 

Read more
iPhone 15 Pro Max shown in hand
5 iPhone settings you should always shut off — because they’re a security nightmare
iPhone 15 Pro Max shown in hand
iMessage under attack from scammers sending phishing messages — don’t fall for it
Find My iPhone
Apple Find My hack turns any Bluetooth device into a secret AirTag — what we know
Apple iPhone 16 held in the hand.
iOS 18.3.1 — update your iPhone right now to fix critical zero-day vulnerability
iPhone with USB-C charging cable
Apple’s proprietary USB-C controller has officially been hacked – what you need to know
redesigned photos app in iOS 18
Do you know which apps have access to your iPhone photo roll? Here’s how to check
Latest in iPhones
WWDC logo on yellow background
Apple WWDC 2025 date set for June 9 — iOS 19, Apple Intelligence and more expected
iPhone 16 with Apple Intelligence logo for iOS 18.1
iOS 18.4: All the newest Apple Intelligence features coming to your iPhone
Apple maps logo on iPhone screen
I avoided Apple Maps for trip planning — but these iOS 18 features are changing my mind
New emojis with iOS 18.4 beta release.
iOS 18.4 beta brings 8 new emoji to your iPhone — here's all the new options
An image of an iPhone screen showing the Safari app icon in the center
I got tired of Safari revealing my web searches in iOS 18.4 — this setting fixes that
iPhone Flip Concept
Foldable iPhone delays — there’s a bigger problem going on at Apple
Latest in News
AI Mode of google search
Google’s making it easier to start new AI Mode searches — here’s how
Gemini logo on smartphone
Google Gemini Gems now available to all users without a subscription
DeepSeek login in page displayed on smartphone
DeepSeek R1 just got even smarter with a new upgrade — here's what's changed
Galaxy S25 Ultra from the back
Samsung Galaxy S26 Ultra leak claims a massive upgrade is coming to all three cameras
CAD renders of the Google Pixel 10
Pixel 10 could include a repurposed ‘Pixie’ assistant — but what actually happened?
Galaxy S25 Edge dummy unit from side angle
Samsung Galaxy S25 Edge design just shown off on video from every angle with seemingly accurate dummies