An iPhone bug that Apple patched last January to stop unauthorized users from bypassing the password-protected locking feature has resurfaced in newer versions of the phone's software.
The bug also affects the iPod touch.
First reported yesterday by a user identified as "greenmymac" on the MacRumors forum, the flaw lets anyone sidestep passcode locking by simply tapping "Emergency Call" on the password entry screen, then double-tapping the Home button.
That leads to the iPhone's Favorites, a list of frequently-called contacts, and their contact information, including phone numbers and addresses. If any of the contacts have e-mail addresses or Web URLs associated with them, the trick also allows access to the iPhone's e-mail application and Safari browser, respectively.
Computerworld confirmed that the bug is present in both iPhone 2.0 and iPhone 2.0.2.
Last January, Apple issued iPhone 1.1.3 and iPod touch 1.1.3, a firmware update that included patches for three security vulnerabilities. According to the accompanying advisory, one of the three fixed the passcode lock sidestep problem.
"The Passcode Lock feature is designed to prevent applications from being launched unless the correct passcode is entered," said Apple's advisory. "An implementation issue in the handling of emergency calls allows users with physical access to an iPhone to launch an application without the passcode. This update addresses the issue through an improved check on the state of the Passcode Lock."
Users commenting on Apple's iPhone support board weren't happy. "Wow...now the simple security issue," said "squarejp" on Apple's forum. "Apple is sure releasing beta software."
A workaround, several users said, is to go to Settings/General/Home Button on the iPhone, then select Home. The emergency call bypass then cannot access Favorites -- the default on the iPhone for a double-tap; instead, the passcode screen simply reappears.
Apple did not immediately reply to questions about the January fix and the bugs reappearance.