iOS 15 Patched Security Hole That Potentially Exposed Users' Private Apple ID Information to Third-Party Apps

[MacRumors]

Apple patched two significant security vulnerabilities when it released iOS 15 that could have potentially exposed users' private Apple ID information and in-app search history to malicious third-party apps and allowed apps to override user Privacy preferences, Apple has revealed in a recent support document update.

With most iOS, macOS, tvOS, and watchOS updates, Apple provides a list of security vulnerabilities patched in that update. Apple maintains a list of security fixes and occasionally updates them with new entries once an investigation of a specific security vulnerability is completed.

Released in September, iOS and iPadOS 15 introduced "additional sandbox restrictions on third-party applications" as a patch, and Apple credits developer Steve Troughton-Smith for assisting it in finding and patching the vulnerability.

Impact: A malicious application may be able to access some of the user's Apple ID information, or recent in-app search terms
Description: An access issue was addressed with additional sandbox restrictions on third-party applications.
CVE-2021-30898: Steven Troughton-Smith of High Caffeine Content (@stroughtonsmith)
Entry added January 19, 2022

Apple does not offer any indication that this particular exploit was actively used in the wild.

In addition, iOS 15, iPadOS 15, and watchOS 8 also patched a security exploit that could allow a third-party app to bypass Privacy preferences. Apple does not provide any more information as to the specifics of the exploit and does not indicate it was actively used.

Apple also updated its security content pages for iOS 14, iOS 15.1, tvOS 15, tvOS 15.1, macOS Big Sur 11.6.1, macOS Big Sur 11.6, and more with newly disclosed security vulnerabilities for each of the updates.

According to Apple, iOS 15 is installed on more than 72% of all iPhones released in the last four years, with iPadOS 15 adoption lower at 57%. Adoption of iOS 15 is considerably lower than iOS 14, which was installed on more than 80% of all iPhones released in the last four years. Even iOS 13 experienced faster adoption rates than iOS 15 as it was installed on 77% of iPhones by January of 2020.

With the newly disclosed security exploits patched in iOS 15 and iPadOS 15, and iOS 15.1 and iPadOS 15.1, users are strongly encouraged to update to the latest iOS and iPadOS versions. The newest released versions are iOS 15.2.1 and iPadOS 15.2.1, while Apple has seeded iOS 15.3 and iPadOS 15.3 betas to developers and public beta testers.

Apple in June said that it would give users a choice when iOS 15 launched as to whether they would wish to update to the newest version or continue to receive iOS 14 security updates. The latter option is no longer available, as Apple is now more aggressively pushing users to update to iOS 15, with users still running on iOS 14 no longer receiving standalone security updates.

Apple says the option to remain on iOS 14 and continue to receive security updates was always meant to be temporary.

Article Link: iOS 15 Patched Security Hole That Potentially Exposed Users' Private Apple ID Information to Third-Party Apps

 

[diddl14]

What's with the CVE number, is this correct? https://nvd.nist.gov/vuln/detail/CVE-2021-30898

 

[BootsWalking]

"Processing a maliciously crafted dfont file may lead to arbitrary code execution"

We're not even safe from fonts!

 

[macguru212]

totally OT but i misread the text as "Pricey. That's iPhone."

I need glasses.?

 

[1284814]

And they are mentioning this info now, is it because of low adoptions?

 

[Freeangel1]

Oh boy.

If the New AMD graphics chip with Ray Tracing used in Samsung Galaxy S22 phones and future phones turns out to be AWESOME I won't have to deal with IOS 15 other than an iPad.

 

[Alfred.Woodden]

It boggles my mind why people don't update their software. In today's world, security flaws should be the number one reason to update.

 

[now i see it]

Impact: A malicious application may be able to access some of the user's Apple ID information..

Well that statement right there pretty much blows a whole in their entire App Store-Is-A-Safe-Walled-Garden narrative.

If crap like this can get through as the App Store currently exists, I’m all for side loading apps from other sources since the security of the App Store is not what we’re led to believe.

 

[jdavid_rp]

Oh boy.

If the New AMD graphics chip with Ray Tracing used in Samsung Galaxy S22 phones and future phones turns out to be AWESOME I won't have to deal with IOS 15 other than an iPad.

Yeah, im sure 30 minutes of raytracing gaming at 30FPS until the battery dies its the best thing ever that I would use everyday too.

 

[Alfred.Woodden]

Well that statement right there pretty much blows a whole in their entire App Store-Is-A-Safe-Walled-Garden narrative.

If crap like this can get through as the App Store currently exists, I’m all for side loading apps from other sources since the security of the App Store is not what we’re led to believe.

Sideloading would probably increase it by a magnitude, maliciously, not by mistake which is the case here.

 

[Jim Lahey]

It boggles my mind why people don't update their software. In today's world, security flaws should be the number one reason to update.

Some are probably a bit nervous about Apple themselves deliberately building potential security flaws into their upcoming software updates.

 

[TheFluffyDuck]

Having servers in China, and some big brother AI photo scanning nonsense to "save children" is also a massive security hole as well. Might want to patch those as well.

 

[Alfred.Woodden]

Some are probably a bit nervous about Apple themselves deliberately building potential security flaws into their upcoming software updates.

But Apple is pacthing known vulnerabilities that either are in the wild or could be at some point. Whichever new flaws are created with their updates and patches, won't be known to bad adversaries for a while. It's a never-ending cat and mouse game, and not updating because you're worried about new flaws is a bad strategy from a security point of view. Software has and will always have security flaws. Update your software!

 

[kemal]

Doug Henning on App Store security "it's an illusion."

 

[Jim Lahey]

But Apple is pacthing known vulnerabilities that either are in the wild or could be at some point. Whichever new flaws are created with their updates and patches, won't be known to bad adversaries for a while. It's a never-ending cat and mouse game, and not updating because you're worried about new flaws is a bad strategy from a security point of view. Software has and will always have security flaws. Update your software!

Yep. Agree with the overall sentiment but the choice becomes tricky when you know that Apple plan to deliberately compromise future updates and potentially cave into state pressure to exploit them at a later time. You can’t roll back once they stop signing older versions.

 

[contacos]

the lack of transparency from Apple is sometimes really astonishing

 

[Saturn007]

Software has and will always have security
flaws. Update your software! :)

And, destroy your iPad's battery life!

Thanks, Apple!

 

[imagineadam]

It boggles my mind why people don't update their software. In today's world, security flaws should be the number one reason to update.

What’s the worst that could happen? And how often does it actually happen?

 

[rweiser]

Well that statement right there pretty much blows a whole in their entire App Store-Is-A-Safe-Walled-Garden narrative.

If crap like this can get through as the App Store currently exists, I’m all for side loading apps from other sources since the security of the App Store is not what we’re led to believe.

So you're saying that if there's a hole in the garden's wall, we might as well just break the entire wall down?

 

[VulchR]

It boggles my mind why people don't update their software. In today's world, security flaws should be the number one reason to update.

Totally agree. This is why I am not updating to iOS 15, at least not until Apple commit to removing the CSAM spying software from the operating system.

 

[spartan1967]

It boggles my mind why people don't update their software. In today's world, security flaws should be the number one reason to update.

That’s why Apple needs to continue to update 14.

 

[antnythr]

So Apple released iOS 15 which patched this bug, but didn’t apply the fix to iOS 14? They intentionally left a supported version of iOS vulnerable?

They just got roasted for this **** like 2 months ago with MacOS:

PSA: Apple isn’t actually patching all the security holes in older versions of macOS

Big Sur got a fix 234 days before Catalina did, although both are supported.

arstechnica.com

 

[citysnaps]

Well that statement right there pretty much blows a whole in their entire App Store-Is-A-Safe-Walled-Garden narrative.

If crap like this can get through as the App Store currently exists, I’m all for side loading apps from other sources since the security of the App Store is not what we’re led to believe.

It's nice believing that 100% perfection exists 100% of the time, especially when humans are involved.

Perhaps it does on planet Ork. Certainly not here on planet Earth.

 

[I7guy]

It's nice to believing that 100% perfection exists 100% of the time, especially when humans are involved.

Perhaps it does on planet Ork. Certainly not here on planet Earth.

That's the "throw the baby out with the bath water" crowd mentality. Since it isn't perfect, might as tear down the walls and let 'er rip...instead of a more rational approach of what needs to be done to improve it.

 

[mansplains]

Yeah, im sure 30 minutes of raytracing gaming at 30FPS until the battery dies its the best thing ever that I would use everyday too.

Would the battery still die if you use it plugged in? Or would you suffer the third degree burns until the phone explodes?