A significant privacy issue was recently discovered and addressed with improved private data redaction for log entries. Labeled as CVE-2023-23541, this vulnerability was potentially allowing apps to gain unauthorized access to information about a user's contacts. Fortunately, Apple has now fixed this issue in their latest releases: iOS 15.7.4, iPadOS 15.7.4, iOS 16.4, and iPadOS 16.4.

In this long read, we will uncover the details of this vulnerability, explore its impact on devices, and lay out the necessary steps for mitigation.

Original Reference

CVE-2023-23541 is officially documented by Apple in their security content page for iOS and iPadOS. You can find more information and the official reference here:

- Apple Security Content for iOS 16.4 and iPadOS 16.4

Code Snippet

Once the vulnerability was exploited, malicious apps could potentially gain access to the user's contacts data through inadequate data redaction in log entries. Let's take a look at a code snippet that demonstrates how this information leak might have occurred:

import Contacts

func fetchContacts() {
    let contactStore = CNContactStore()
    let keysToFetch = [CNContactGivenNameKey as CNKeyDescriptor, CNContactFamilyNameKey as CNKeyDescriptor, CNContactPhoneNumbersKey as CNKeyDescriptor]
    
    let fetchRequest = CNContactFetchRequest(keysToFetch: keysToFetch)
    
    do {
        try contactStore.enumerateContacts(with: fetchRequest) { (contact, stopPointer) in
            print("Contact: \(contact.givenName) \(contact.familyName)")
            // Inadequate data redaction in log entries may lead to information leak
            NSLog("Phone Number: \(contact.phoneNumbers.first?.value.stringValue ?? "")")
        }
    } catch {
        print("Error fetching contacts: \(error)")
    }
}

By analyzing this code snippet, we can see how easy it would have been for a malicious application to access and misuse the contact information of a user, potentially causing severe breaches of privacy.

Utilize the inadequately-redacted log entries to gather the user's private contact information.

Considering many users unknowingly grant permissions to apps that request access to their contacts or other personal information, this security flaw could lead to significant privacy issues for the users.

Steps for Mitigation

Apple has addressed this vulnerability by improving the private data redaction method in their latest iOS and iPadOS updates. Therefore, the recommended mitigation steps are as follows:

Update your devices to iOS 15.7.4 or iPadOS 15.7.4, or later versions - iOS 16.4 and iPadOS 16.4.

2. Always grant permission to access your contacts and other sensitive information only to trusted applications.
3. Regularly review the list of apps that have access to your contacts and reconsider if they really need that permission.

Conclusion

CVE-2023-23541 demonstrates the importance of continually refining security measures for mobile devices and the need for users to be vigilant about their privacy. Apple has fixed the issue in their latest iOS and iPadOS versions by improving private data redaction methods for log entries to prevent unauthorized access to the user's contact information. Updating your device to the latest software version and being cautious when granting permissions to apps will help protect your privacy and keep your personal information safe.

Timeline

Published on: 05/08/2023 20:15:00 UTC
Last modified on: 05/16/2023 19:18:00 UTC