Microsoft has acknowledged a security vulnerability on Windows 10 Mobile that could allow strangers to bypass your lock screen to access your photo library (via Neowin). The good news is that your Windows phone will only be vulnerable if you’ve enabled Cortana on your lock screen, but the bad news is that Microsoft won’t be fixing this security hole.
“A security feature bypass vulnerability exists in Windows 10 Mobile when Cortana allows a user to access files and folders through the locked screen, the company explained. “An attacker who successfully exploited this vulnerability could access the photo library of an affected phone and modify or delete photos without authenticating to the system. To exploit the vulnerability, an attacker would require physical access and the phone would need to have Cortana assistance allowed from the lock screen.”
This security vulnerability apparently affects all versions of Windows 10 Mobile, but it hasn’t been exploited yet according to Microsoft. Again, the only mitigation is to disable Cortana on your lock screen. Microsoft provided the following steps to protect your handset:
- Open the Cortana app from the applications screen.
- Tap on the Menu button (3 horizontal bars) in the top left of the Cortana app.
- Tap on Settings option.
- Set the slider for the Lock Screen option to Off to prevent access to Cortana when the device is locked.
With Windows 10 Mobile version 1709 getting its two final patches in November and December, it’s not clear why Microsoft isn’t fixing this vulnerability before the end of support. The workaround should be good enough for the remaining Windows 10 Mobile users, but this decision is still surprising for a company that usually takes security so seriously.