Apple recently began pushing out a new update to its mobile operating system, iOS version 12.1, and unfortunately it comes with a bug that allows an attacker to access an iPhone's full contact information without ever having to enter a passcode. It's a rather simple exploit that doesn't require any programming experience.
All it does require is physical access to the phone that is being targeted. The exploit is rather simple-an attacker just needs to initiate a phone call and then switch to FaceTime as soon as it connects. From there, they can go to the bottom of the screen of the select "Add Person," then press the plus (+) icon to view the full list of contacts. Using 3D Touch reveals more information on each contact.
It's incredibly simple, and a disappointing oversight on Apple's part. Here is a video of the exploit in action...
"In a passcode-locked iPhone with latest iOS 12.1. You receive a phone call, or you ask Siri make a phone call (can be digit by digit), and, by changing the call to FaceTime you can access to the contacts list and by doing 3D Touch on each contact you can see more contact information, and doing tap on the contact phone number, allows start a new phone call," security researcher Jose Rodriguez explains.
The exploit seems to work on all current iPhone models, including the newest iPhone XS series, so long as they are running iOS 12.1. If you own an iPhone and have already updated, there is no workaround available at the moment, other than making sure nobody else comes in possession of your iPhone. That's the bad news.
The good news is it probably won't be long before issues a security update to fix this flaw