Scenario
A researcher previously submitted a report to Product Security that initially seemed like a security issue. After engaging the engineering team, we determined that this was not actually a security issue. An automated email was sent to the researcher informing them it is not a security issue. Respond to the email from the researcher.
Email
Hi Product Security!
For the last few weeks, the status of this report said that you were investigating this issue, and it even said you planned to fix it in Fall. I just got an update that says you no longer think this is a security issue… What happened? I really think that it is important for Apple to fix this issue to protect its customers!
Please respond to me ASAP. I look forward to hearing from you.
Researcher Report
Title: Unauthorized Access to Photo Library via Camera App on Lock Screen
I am reporting a security concern where a user can access their photo library from the lock screen after launching the Camera app. This behavior bypasses the intended security restrictions of the lock screen, potentially exposing private photos to unauthorized viewers.
Issue Description:
When the Camera app is launched from the lock screen, users can interact with recently taken photos or swipe to view their photo library without unlocking the device. This access could unintentionally expose private or sensitive images.
Steps to Reproduce:
- Ensure the Camera app is accessible from the lock screen in device settings.
- Lock the iPhone and access the lock screen.
- Swipe to open the Camera app.
- Take a photo or video.
- Tap on the thumbnail of the captured photo or swipe left to view other photos in the library.
- The user is able to view stored images or videos without unlocking the device.
Impact:
- Privacy Violation: Sensitive images or videos stored in the library can be accessed without authentication.
- Data Exposure: In case of theft or unauthorized access, this behavior could compromise the user’s privacy.
Proposed Solutions:
- Restrict access to the photo library from the lock screen by requiring authentication before allowing users to view or swipe beyond newly captured media.
- Limit the Camera app on the lock screen to capturing photos and videos without access to the photo library.
- Provide an option for users to disable thumbnail previews in the Camera app on the lock screen.
Affected Devices:
This issue has been observed on iPhones running iOS 18.1 where the Camera app is accessible from the lock screen.
This prompt is an email-writing scenario in a security triage context. The key is to respond professionally, acknowledge the researcher’s concern, and explain that after review the observed behavior does not expose previously stored photos from the lock screen, so it is not treated as a security issue. The answer should be calm, respectful, and clear about the reproduction boundary and the final determination.
