In late 2023, Apple patched a serious privacy vulnerability in macOS Sonoma with the release of version 14.1. Known as CVE-2023-40405, this flaw allowed certain apps to read sensitive location information that should have never left your device. In this long read, we’ll break down what really happened, show some code, explain the risks, and link you to the original details.
What Was the Problem?
macOS, like many operating systems, creates log files to record what’s happening under the hood. These logs can be incredibly useful for developers or support engineers, but they can also accidentally capture sensitive info — like your GPS location, accounts, network activity, etc.
CVE-2023-40405 in a Nutshell
A privacy bug in macOS’s logging mechanism caused some apps to be able to read location data in log entries that were *supposed* to redact private details. Logs that should have looked like:
Location update: * (redacted)
instead sometimes included
Location update: Latitude: 40.73061, Longitude: -73.935242
If a malicious or misbehaving app read these logs, it could grab precise information about your movements, home, or workplace — even though you never gave it permission.
Logging Sensitive Data — The Wrong Way
Imagine a macOS process that logs every time your location changes. If the masking isn’t done right, a log entry might look like this:
let currentLocation = locationManager.currentLocation // returns CLLocation
os_log("User moved to %@", currentLocation.description)
If currentLocation.description includes latitude and longitude and there’s no redaction layer, anyone with read access to logs can see it.
Apple’s fix was to make sure any sensitive fields were redacted before being written out
let isSensitive = true // determined by privacy framework
if isSensitive {
os_log("User moved to [REDACTED]")
} else {
os_log("User moved to %@", currentLocation.description)
}
After Sonoma 14.1, logs containing sensitive info must be properly cleaned up, reducing the risk.
Exploiting the Flaw
Any app with permission to read the system logs could potentially harvest your location data — even without explicit location permissions! This could include:
Here’s a simple way an app could go snooping before the fix (pseudocode)
import subprocess
logs = subprocess.check_output([
"log", "show", "--predicate", 'eventMessage CONTAINS "Location update"', "--info"
])
for line in logs.decode('utf-8').splitlines():
if "Latitude" in line:
print(line)
This script scans macOS logs for _any_ location-containing message.
Report Date: 2023 (exact public report is confidential)
- Patched In: macOS Sonoma 14.1 (October 2023)
- Security Note: Apple Security Updates — see entry for CVE-2023-40405
From the official Apple advisory
> CVE-2023-40405: “A privacy issue was addressed with improved private data redaction for log entries. This issue is fixed in macOS Sonoma 14.1. An app may be able to read sensitive location information.”
In Summary
CVE-2023-40405 was a kind of “invisible” privacy leak, not through the usual app permissions, but through log records that were supposed to be private. Thanks to a patch in Sonoma 14.1, this doorway is now closed.
If you’re into more technical reading
- Apple’s security update page (HT213961)
- CVE details entry for CVE-2023-40405 (when available)
Remember: Sometimes the scariest bugs aren’t about malware or hacking, but about what’s written down and who can read it. Update your machines, and stay safe!
*This post is original content intended to make this technical issue easy to understand for everyone.*
Timeline
Published on: 10/25/2023 19:15:09 UTC
Last modified on: 11/02/2023 17:35:14 UTC