CVE-2023-23529 - How a Safari Type Confusion Bug Risked Millions of Apple Devices

In early 2023, Apple quietly patched a serious security flaw affecting its most popular operating systems—macOS, iOS, iPadOS, and even Safari. The vulnerability, tracked as CVE-2023-23529, is a “type confusion” bug in WebKit, the engine behind Safari and many other apps that display web content. In this long read, we’ll break down what happened, how attackers could exploit the bug to run code on your device, and how Apple fixed it. If you’ve ever wondered how a single bug could threaten millions of users, keep reading.

What is CVE-2023-23529?

Let’s start simple: CVE-2023-23529 is a security code that identifies this specific vulnerability. Apple grouped this bug under “type confusion” inside WebKit. Basically, a “type confusion” happens when the program gets mixed up about what type of data it is handling. Think of it like mistaking a house key for a car key—they look similar, but using the wrong one at the wrong time can cause problems.

macOS Ventura (before 13.2.1)

- iOS / iPadOS (before 16.3.1)

Safari (before 16.3)

Fixed in:  
macOS Ventura 13.2.1, iOS 16.3.1 & iPadOS 16.3.1, Safari 16.3

What Could Go Wrong?

Apple admitted that “processing maliciously crafted web content may lead to arbitrary code execution.” In plain language, if an attacker sent you to a hacked website, they could run any software they wanted on your device, sometimes without you knowing.

Worse, Apple is aware this vulnerability was actively exploited. That means bad guys probably used it before Apple or the public knew about it.

Apple Security Advisory

How Did the Attack Work?

While Apple didn’t publicly describe every detail (to prevent more exploitation), security researchers dug into WebKit’s code changes. The bug boiled down to JavaScript objects being used in ways the developers didn’t plan for. An attacker could craft web content so WebKit made a *type confusion*—mistaking one type of object for another.

Here’s a simplified example in JavaScript

// Hypothetical snippet showing shape confusion
let arr = [1.1, 2.2, 3.3];
let obj = {foo: 1};
arr.__proto__ = {};
arr[] = obj; // Now WebKit may treat an object as a number

// Attacker triggers type confusion via crafted content

If the browser’s “safety checks” don’t catch this, a hacker can control what’s in memory, potentially writing shellcode to take over your device.

Why WebKit Matters

If you use Safari *or* any app that displays web content (including many third-party iOS apps), you’re using WebKit. This means the bug isn’t just limited to the Safari browser—it affects almost all web browsing you do on Apple devices.

The Fix: Added Checks

Apple addressed the issue by adding improved type checks before using objects, making sure they really are what the code expects.

You can see the relevant code change (patch) in the WebKit project

- WebKit Commit  
(Public reference—not guaranteed to show all details for safety)

The fix verifies the type before using an object as another kind.

CVE-2023-23529 Exploit In the Wild

Security company Google Threat Analysis Group (TAG) confirmed this bug was used in real attacks, possibly to install spyware or steal data from targeted users—all by getting them to open a web page.

A public, safe proof-of-concept demo can be found here

- HackerOne Report #1718689  
Note: The exploit code won’t crash your device, but it shows how type confusion bugs work.

Here’s a general structure

// Demonstration only - this does NOT exploit devices
function triggerTypeConfusion() {
    let fake_arr = {}; // Not a real array!
    let arr = [1.1, 2.2];
    arr.__proto__ = fake_arr;
    // If the browser is vulnerable, using arr could cause a crash or worse
}

triggerTypeConfusion();

How to Stay Safe

Update, update, update!

Get Safari 16.3 or later (if you use older macOS)

To check if you’re safe, go to Settings → General → About and see your system version.

Conclusion

CVE-2023-23529 shows how one small coding mistake in a big program like WebKit can threaten millions. If you haven’t updated your Apple devices, do it now. For the technical crowd, use the references below to learn more or try basic test code in a safe environment.

References

- Apple Security Updates
- NIST CVE Entry
- WebKit Diff/Patch
- Google Blog: -Day In the Wild

*Stay vigilant. Always update your devices to stay ahead of hackers exploiting hidden bugs like CVE-2023-23529.*

Timeline

Published on: 02/27/2023 20:15:00 UTC
Last modified on: 03/28/2023 05:15:00 UTC