Apple's Control Center used to bypass iOS 7 passcode lock [u]A security hole in iOS 7 has been reported in which Apple's Control Center, along with some quick finger work, can be used to bypass a passcode protected lock screen on an iPhone or iPad running iOS 7, grating access to Mail, Photos and Twitter, and more.
The exploit, discovered by Jose Rodriguez on Thursday, take a bit of finesse to get right, though we have independently verified that it works. It is somewhat reminiscent of a lock screen bug in iOS 6.1 that allowed access to Contacts, Photos and Voicemail by using a complex string of commands including the emergency call feature.
As reported by Fortune, the recently discovered vulnerability involves Control Center, a new feature in iOS 7 that gives users quick access to commonly used apps and commands.
First, a nefarious user must invoke Control Center by swiping up from the bottom of a locked iPhone or iPad's lock screen. From there, the Clock app can be opened even without a passcode. Holding down the power button will bring up the shut-off pane. This next part is tricky, though is manageable with practice. Instead of swiping to power down the device, cancel is selected, followed quickly by one short and one long press of the home button. The device enters the iOS 7 multi-tasking view and from there Mail, Photos and Twitter can be accessed.
The exploit can be defeated by simply disabling Control Center in the lock screen, though this somewhat hampers the new iOS 7 capability. It should also be noted that access is only granted to app open prior to locking the device, and the titles affected by the workaround are limited. For example, Safari cannot be opened from the multi-tasking view.
We tested the bug on both the iPhone 5 and third-generation iPad, and while it took a few tries, the process does work.
Apple will most likely patch the issue in an upcoming software update.
Update: Apple has confirmed to AllThingsD that a fix is in the works and will be included in a future update. No estimated release date was given.