CVE-2025-24146: Deleting Conversations in Messages Exposes User Contact Information in System Logging and How to Fix It

Introduction: The latest vulnerability CVE-2025-24146 discovered in some macOS versions can lead to unauthorized exposure of sensitive user contact information. In this post, we will gather all related information, such as the affected macOS versions, code snippets, original references, and exploit details. Finally, we will look at the preventive measure issued by Apple that solves this vulnerability in its latest software updates.

Affected macOS Versions: It has been reported that this vulnerability affects the following macOS versions:

macOS Sonoma 14.7.3

Bug Detail: When a user deletes a conversation in Messages, the application generates a specific log entry. However, during this process, the operating system does not redact sensitive contact information present in the log file, which may potentially expose data to unauthorized users.

Exploit Analysis

The exploit process demonstrates how contact information may become exposed upon deleting an iMessage conversation. Here is a code snippet that represents the exploit:

// Exploit: CVE-2025-24146
// Description: Exposes contact data in the system log upon deleting iMessage conversation.

const macOSVersion = getOSVersion();
if (isVulnerable(macOSVersion)) {
  let conversation = getIMessageConversation();
  deleteConversation(conversation);
}

function isVulnerable(version) {
  // Affected versions
  const vulnerableVersions = [
    "macOS Ventura 13.7.3",
    "macOS Sequoia 15.3",
    "macOS Sonoma 14.7.3"
  ];
  
  return vulnerableVersions.includes(version);
}

function deleteConversation(conversation) {
  /* ... App-specific conversation deletion logic ... */
  
  log("Conversation successfully deleted", conversation.contactData);  // Exposes sensitive contact data in the system log.
}

As we can see, the deleteConversation function deletes the iMessage conversation and logs its information, thereby exposing sensitive contact details in the system log. The potential risk here is that unauthorized users may access these logs, which may lead to a breach of user privacy.

Original References: More information related to this vulnerability can be found in the following links:

- Apple Security Advisory
- CVE Identifier

Solution: Apple addressed this issue with improved redaction of sensitive information in the affected macOS versions. The problem has been solved in macOS Ventura 13.7.3, macOS Sequoia 15.3, and macOS Sonoma 14.7.3. As a user, updating your macOS to the latest version will keep you protected from this vulnerability.

Conclusion: The CVE-2025-24146 vulnerability in certain macOS versions can potentially expose user contact information when deleting iMessage conversations due to insufficient redaction in system logs. Updating your macOS operating system to the latest version is the recommended solution to protect against unauthorized data access. Stay informed and keep your devices updated for a safe and secure user experience!

Timeline

Published on: 01/27/2025 22:15:19 UTC
Last modified on: 03/18/2025 19:15:48 UTC