Apple cares deeply about your privacy. That’s why it was a big deal when security researchers found a vulnerability, labeled CVE-2023-32388, that could let apps sneak around privacy controls by leaking sensitive info into system log files. Let’s break down what went wrong, how hackers could have used it, and how you can make sure your Apple device is safe.
What is CVE-2023-32388?
A privacy issue was discovered in Apple’s major operating systems (macOS, iOS, iPadOS, and watchOS). The core of the issue: Apps could bypass your Privacy preferences and potentially leak private data into system logs.
Logs are supposed to help developers and system admins troubleshoot problems. But sometimes, they can also capture sensitive stuff ― your contacts, messages, or locations, for example. If an app records something private in logs, and those logs are accessible, your data is exposed without your permission.
Why did it happen?
Apple’s log system was not always scrubbing (or “redacting”) sensitive data before writing logs. That meant if an app deliberately (or accidentally) sent private info to the log, other apps — or even physical device attackers — could later extract that sensitive data.
A Simple Example: How an App Might Exploit the Bug
Imagine an app wants to grab your email address and dump it in the log so it can read it later (or another process can):
import os
let email = getUserEmail() // e.g., your real email address
os_log("User email: %{public}@", email)
Normally, Apple’s system would try to redact or hide this kind of sensitive info if privacy preferences said not to share it. With the CVE-2023-32388 vulnerability, those checks could be bypassed, so the email address could get logged in clear text.
Here’s a simplified attack chain
1. Malicious app obtains sensitive data it shouldn’t have (by leveraging other bugs or through permitted APIs).
App writes private data into a system or application log file.
3. Later, the same app (or another process it controls) reads the log file and extracts the private data — even if you’ve denied that kind of access in your Privacy settings.
Persistence: Data could be collected over time, in the background, making it hard to detect.
- Bypassing Privacy Preferences: Your choices in the Settings app no longer have their intended effect.
According to Apple’s security bulletin
> "A privacy issue was addressed with improved private data redaction for log entries."
(See Apple’s official security release notes).
In practical terms
- Apple upgraded the log system to carefully scrub sensitive data from log files, respecting your privacy selections.
- Apps that try to dump redacted/private info into logs will now find the data is replaced or removed.
Before Patch (bad)
os_log("Private location: %{public}@", userLocation)
Log file output
Private location: 123 Apple Park Way, Cupertino, CA
After Patch (good)
os_log("Private location: %{public}@", userLocation)
Log file output
Private location: [REDACTED]
Now, even if the app tries to write your address, it won’t show up in the log.
macOS Monterey before 12.6.6
- iOS/iPadOS 15 before 15.7.6
- iOS/iPadOS 16 before 16.5
How to fix:
Update your device via Settings or System Preferences to the latest OS release!
References
- Apple Security Updates (CVE-2023-32388)
- NIST National Vulnerability Database Entry
Final Thoughts
Log files are supposed to help, not hurt. CVE-2023-32388 taught us how even “background” tools like logs need strong privacy controls. Thankfully, now with the latest patches, your info stays yours.
If you’re not up to date, update now!
Don’t give a malicious app any backstage access to your data.
*Have more questions? Drop them in the comments below – let’s keep our Apple devices safe, together.*
Timeline
Published on: 06/23/2023 18:15:00 UTC
Last modified on: 07/27/2023 04:15:00 UTC