A bug in the beta of iOS 13 and iPadOS makes it easy for unauthorized folks to gain access to the “Website & App Passwords” data in Settings app. While such flaws are to be expected in beta versions of operating systems, and will likely be fixed in an upcoming beta, this is still something beta users should be made aware of.
Developer beta 3 or public beta 2 users of iOS 13 and iPadOS will find it easy to bypass the Face ID or Touch ID authentication prompt in the Settings app, when attempting to access iCloud Keychain passwords.
The issue, first noted on Reddit, allows access to saved usernames and passwords by repeatedly tapping the “Website & App Passwords” menu option and avoiding the Face ID or Touch ID prompt. After repeated tries, iOS 13 will display all of the user’s passwords and logins, without successfully authenticating with Face ID or Touch ID. (As shown in a video by iDeviceHelp on YouTube.)
MacTrast has confirmed this flaw is present in the latest iPadOS developer beta. Apple has reportedly been informed of the issue via the Feedback app in iOS 13, but has yet to acknowledge it.
While this is a serious flaw, it isn’t quite as bad as it first sounds, as a bad guy (or your little brother), would need access to your unlocked device. However, it is something beta users should be aware of.
A future version of iOS 13 and iPadOS will likely fix the error. A new version of the betas should drop soon. However, we won’t know until the release if the bug has been fixed or not.