CVE-2023-23505 - How a Log File Bug Exposed Apple Users’ Contacts—What Happened And How It Was Fixed

Summary:  
CVE-2023-23505 is a critical privacy vulnerability discovered in several popular Apple operating systems—macOS, iOS, iPadOS, and watchOS. The issue allowed apps to access sensitive contact information through improperly redacted log entries. Apple patched the bug in early 2023. In this long read, I’ll explain how it worked, show an example of the problem, give links for deeper reference, and describe how you can protect yourself.

What Was the Issue?

Most operating systems record internal messages—like errors or diagnostic details—in log files. These logs can be helpful for troubleshooting but can also accidentally leak private information if they’re not handled the right way. In the case of CVE-2023-23505, Apple’s systems weren’t properly “redacting” (hiding) sensitive fields such as user contacts from their logs. A clever or malicious app could look at these log entries and gather information about the user's contacts, even if it didn’t have permission to access them otherwise.

macOS Big Sur: before 11.7.3

- iOS / iPadOS 16: before 16.3
- iOS / iPadOS 15: before 15.7.3

watchOS 9: before 9.3

Check your device and make sure you’re running at least these versions to be fully protected.

Apple patched the bug by improving how private data was hidden (redacted) in log entries.

Apple's official advisory:  
https://support.apple.com/en-us/HT213606

How Did the Vulnerability Work? (Technical Walkthrough)

The heart of CVE-2023-23505 was that when an app called certain APIs, error logs or diagnostic messages might inadvertently include full, unobscured details about contacts—names, phone numbers, emails, etc. Normally, these sensitive parts should show up as [REDACTED] or be masked, but due to the bug, this wasn’t always happening.

Example Code Snippet

Let’s say an app tries to access contacts but doesn’t have the right permissions. Apple’s system denies the request, but logs the event:

This pseudocode example, in Swift, demonstrates the risky behavior

import Contacts

let store = CNContactStore()
let keysToFetch = [CNContactGivenNameKey, CNContactFamilyNameKey]

do {
    let contacts = try store.unifiedContacts(matching: NSPredicate(value: true), keysToFetch: keysToFetch as [CNKeyDescriptor])
    print("Contacts fetched: \(contacts)")
} catch {
    NSLog("Contact fetch failed: \(error.localizedDescription)")
}

When this fails, the NSLog might log not only the error, but also the data from the failed fetch—sometimes including actual contact data that should be kept private!

- Important: Malicious apps could read these logs and extract users’ contact info _without user consent._

After update, sensitive information is sanitized in all log entries

// Same code as above, but the log now looks like:
Contact fetch failed: Access Denied. [Sensitive content redacted]

Now, even if an attacker reads system logs, they’ll see that the sensitive parts are blocked out.

Log Monitoring: The app reads the system or app log files to search for leaks.

4. Data Extraction: Sensitive details about the user’s contacts are now visible to the malicious app, skirting privacy protections.

In short, the normal privacy restrictions were bypassed by using logs as a "side channel."

Call APIs expected to fail but to touch Contacts.

- Collect the system logs from within the app by reading /var/log/ or using logging APIs (where permitted).

What Did Apple Do to Fix This?

Apple improved its “data redaction” mechanisms in how log entries are written. After the updates, instead of including raw names, emails, or phone numbers, any potentially private fields are either removed or replaced with generic tags like [REDACTED] or [PRIVATE]. This stops abused logs from leaking secrets.

UPDATE YOUR DEVICES: Make sure you’re running at least the versions listed above.

- AUDIT APP PERMISSIONS: Be careful which apps you download, and regularly review their permissions.

Original Apple Security Update (HT213606):

https://support.apple.com/en-us/HT213606

CVE Record:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23505

The Register coverage:

https://www.theregister.com/2023/01/24/apple_patches_privacy_leak/  

Conclusion

CVE-2023-23505 is an example of how even logs—meant to help developers—can sometimes be a sneaky security risk. Thanks to responsible disclosure and Apple’s patch, users’ private data is safer now. As always, keeping your devices updated is the number one thing you can do to stay secure.

Have questions or want to learn more? Check out the links above or comment below!

Timeline

Published on: 02/27/2023 20:15:00 UTC
Last modified on: 03/08/2023 16:34:00 UTC