O-Day iPad Public Display Security Code — Proof Of Concept for the 2-Factor password display on an iPad
For a holiday gift, I received an iPad Pro. Of course, I started using it to read LinkedIn. Naturally, I enabled 2 Factor Authentication. I chose the option of the text message. For several weeks, my eyes blithely overlooked the publicly displayed security code on the title bar of the iPad keyboard. I kept looking for the sent code in the iMessages app.
On March 12, 2020, I asked myself, “Wait! Why is this happening? Why is the supposed secure text message code appearing publicly on the title bar of the keyboard, for any and all to see? Why is the code appearing in both my iPhone and iPad iMessages? ”
At first, I thought it was a browser issue. Tried out several browsers - Opera, Chrome, Safari, Brave, and Firefox. I tested with both the public and private options. The secret text code displayed on the title bar of the keyboard.
Then I realized the sent security text messages contained in the iMessages app were displaying on the keyboard. An analogy would be - neighbors gossiping over the backyard fence.
Keyboard displaying security code
The security code sent to iMessage
To test this, I used an old iPad where the iMessages app was not enabled. The keyboard title contained the word, Password. In this case, the text code only appeared in my iPhone iMessage. No code displayed on the title bar of the keyboard.
On March 13, 2020 and March 14, 2020, I filed several security issues using the Apple Developer Feedback Assistant.
In iPad OS update, 13.4.01, the keyboard no longer displays iMessages code.
(Of interest, the old iPad, OS 9.3.5, keyboard no longer displays, Password in the title bar.)
Thank you for reading,