In 2023, Apple tackled a security flaw tagged CVE-2023-32360, which affected its macOS printing system, possibly letting unauthorized users see documents that had been recently printed. This issue, rooted in improper authentication, was quietly fixed in macOS updates—Big Sur 11.7.7, Monterey 12.6.6, and Ventura 13.4. In this long read, we’ll dive into how unauthenticated access was possible, what code changes were made, and how you could have reproduced the vulnerability yourself.
What Was CVE-2023-32360?
Simply put: an unauthenticated user could access recent print jobs—potentially exposing private documents to anyone using the same computer. Normally, you’d expect only the owner or someone with the right password to see the history of printed files, but this flaw made it a little too easy.
Official Apple Advisory
- Apple Security Updates — CVE-2023-32360
What Really Happened? The Vulnerability Explained
When you print on a Mac, the operating system keeps a log of recent print jobs. This log is managed by cupsd, the CUPS print server running in the background. The bug existed in how the system managed access to these logs—not checking if the user was authorized before showing the print history.
The CUPS Print Job API
On a vulnerable machine, you could run code that queried recent print jobs *without* actually being the owner or an authenticated user.
Here’s a simplified snippet in C (using the CUPS API)
#include <cups/cups.h>
#include <stdio.h>
int main() {
cups_job_t *jobs;
int num_jobs, i;
num_jobs = cupsGetJobs(&jobs, NULL, , CUPS_WHICHJOBS_COMPLETED);
for (i = ; i < num_jobs; i++) {
printf("Job ID: %d\n", jobs[i].id);
printf("User: %s\n", jobs[i].user);
printf("Document: %s\n", jobs[i].title);
}
cupsFreeJobs(num_jobs, jobs);
return ;
}
On a vulnerable macOS, any local user could see all this info—even recent jobs printed by other users.
How Was It Fixed?
Apple’s changelog is minimal:
> “An authentication issue was addressed with improved state management.”
Based on open source CUPS changes around this time, Apple improved session-state tracking and required *actual* user credentials before letting a process read or view job logs. The patch added user/session checks before fulfilling job requests.
Open-Source Reference
While CUPS is maintained as an open project, some Apple-specific patches are internal. You can review CUPS changes here:
- GitHub: OpenPrinting CUPS
Look for changes to functions like cupsGetJobs() or cupsd in releases around May 2023.
Example Fixed Pseudocode
if (authenticated(user)) {
// Show the job log
send_job_history_to_user(user);
} else {
// Deny access
deny_access();
}
Before the fix, authenticated(user) was often missing or incorrectly validated!
Is This Exploitable?
Yes: if your Mac was shared, a guest or malicious app could see sensitive document names, possibly even file contents depending on CUPS configuration. No admin password was needed.
Exploit Example Using Terminal
lpstat -W completed -o
On vulnerable systems, this lists all completed print jobs, not filtered by user.
Conclusion
CVE-2023-32360 is a classic example of how authentication “gaps” can have big privacy consequences—sometimes via something as ordinary as a print log. Thanks to updates, recent versions of macOS now keep your print history private, and unauthorized users can no longer poke around for secrets.
References:
- Apple security updates for macOS - June 2023
- CUPS Documentation
- OpenPrinting CUPS GitHub
Stay safe out there, and remember to keep your systems patched—even for things you don’t think about, like your printer!
Timeline
Published on: 06/23/2023 18:15:00 UTC
Last modified on: 07/27/2023 04:15:00 UTC