Apple’s new predictive keyboard may be just a little too indiscreet when it comes to suggesting words.
Apple forum member ramiroegueta discovered that QuickType will suggest a part of his password when he enters a name or username in a text field.
For example, every time ramiroegueta keys in “AppleUser,” his username, QuickType would suggest “OrangeJuice,” which forms part of his password “OrangeJuice!2.”
The auto-complete supposedly occurs on Safari and in Notes.
Techno Buffalo tried to access Facebook on a Safari page and a banking app using QuickType, but wasn’t able to replicate the problem.
This iOS 8 flaw was apparently first discovered by German security researcher Stefan Esser last week.
Needless to say, having an iOS 8 device that remembers and auto-completes part of a user’s password puts the user’s privacy and security at risk.
The best solution for the problem now is to turn off QuickType.
Go to Settings > General > Keyboard > Predictive, toggle it off, and QuickType will be disabled.
See an AP phone security related story below.
FBI Chief: Apple, Google Phone Encryption Perilous
WASHINGTON (AP) — The FBI director on Thursday criticized the decision by Apple and Google to encrypt smartphones data so it can be inaccessible to law enforcement, even with a court order.
James Comey told reporters at FBI headquarters that U.S. officials are in talks with the two companies, which he accused of marketing products that would let people put themselves beyond the law’s reach.
Comey cited child-kidnapping and terrorism cases as two examples of situations where quick access by authorities to information on cellphones can save lives. Comey did not cite specific past cases that would have been more difficult for the FBI to investigate under the new policies, which only involve physical access to a suspect’s or victim’s phone when the owner is unable or unwilling to unlock it for authorities.
“What concerns me about this is companies marketing something expressly to allow people to hold themselves beyond the law,” Comey said. At another point, he said he feared a moment when “when people with tears in their eyes look at me and say, ‘What do you mean you can’t?'”
Comey said he was gathering more information about the issue and would have more to say about it later.
An FBI spokesman Thursday was not able to immediately amplify Comey’s remarks.
Both Apple and Google announced last week that their new operating systems will be encrypted, or rendered in code, by default. Law enforcement officials could still intercept conversations but might not be able to access call data, contacts, photos and email stored on the phone.
Even under the new policies, law enforcement could still access a person’s cellphone data that has been backed up to the companies’ online-storage services. They could also still retrieve real-time phone records and logs of text messages to see whom a suspect was calling or texting, and they could still obtain wiretaps to eavesdrop on all calls made with the phones.
Apple, in an explanation of its new policy, says on its website that on devices running its new operating system, “your personal data such as photos, messages (including attachments), email, contacts, call history, iTunes content, notes and reminders is placed under the protection of your passcode. Unlike our competitors, Applecannot bypass your passcode and therefore cannot access this data. So it’s not technically feasible for us to respond to government warrants for the extraction of this data from devices in their possession.”
Comey’s criticism closely tracked complaints earlier this week by Ronald T. Hosko, a former FBI assistant criminal division director who wrote in The Washington Post that Google’s and Apple’s policies would have resulted in the death of a hostage in a recent North Carolina kidnapping.
The newspaper subsequently corrected Hosko’s claims after concluding that the new encryption systems would not have hindered the FBI’s rescue of the kidnap victim in Wake Forest, North Carolina. In that case, the FBI pulled telephone records associated with the number used to contact the victim’s family for the ransom demand, retrieved other connected toll records and eventually obtained a traditional wiretap to eavesdrop on the kidnappers’ conversations and locate and rescue the victim.
The only telephone physically seized in the North Carolina case belonged to a woman accused in the plot, after the hostage was already rescued. Authorities had tried to seize the cellphone from one of the alleged plotters, Kevin Melton, but he smashed it to pieces inside his prison cell on April 9, roughly four hours before the FBI rescued the victim in an Atlanta apartment.
Commenting on Comey’s remarks Thursday, Matt Blaze, a computer security researcher and professor at the University of Pennsylvania, said, “It’s disappointing that the FBI has chosen to focus on examples where encryption might potentially slow hypothetical investigations, while ignoring the fact that strong, reliable encryption is the only way we have to prevent a wide range of very real and very serious crimes.”
“We rely on smartphones to manage and protect more and more aspects of our business, personal and financial lives,” Blaze added.
A spokeswoman for Apple and spokesman for Google did not immediately return phone messages from The Associated Press. Google previously said in a statement that its Android phones have offered encryption for three years, but it was being turned on by default in the next release of its operating system.