In late 2023, Apple fixed a serious privacy issue (CVE-2023-42845) affecting macOS, iOS, and iPadOS. In this post, I'll explain what went wrong, how someone could exploit this vulnerability, and why you should update your devices. I'll keep things simple and provide code snippets and links to original sources. This is an exclusive, easy-to-understand explanation for everyone keen on privacy and security.
What Is CVE-2023-42845?
CVE-2023-42845 is an authentication vulnerability in Apple's Photos app on macOS and iOS/iPadOS. Normally, the "Hidden Photos" album requires you to authenticate (Face ID, Touch ID, or passcode) before showing your hidden pics. Due to a bug in state management, someone with access to your unlocked device could view Hidden photos without authenticating.
Status: Fixed in macOS Sonoma 14.1, iOS 17.1, and iPadOS 17.1
- Impact: Allows anyone with access to your unlocked device to see Hidden photos without proper permission
References
- Apple Security Update: iOS 17.1
- Apple Security Update: macOS 14.1
- NVD - CVE-2023-42845
How Did It Happen?
The Photos app uses an authentication check before letting you see "Hidden" or "Recently Deleted" albums. The bug was in state management: if you navigated Photos in a certain way, you could bypass the authentication prompt and see hidden images.
Tap "Hidden"
3. Prompt: Face/Touch ID or passcode required
After authentication: view Hidden photos
### Vulnerable Flow (Before 17.1/14.1)
Entering "Hidden" right after viewing another protected album.
- Or leveraging multitasking (on iPad/macOS): Opening the album quickly after returning from another app.
The app would forget to ask for authentication and just display everything.
Here's a simplified pseudo-code snippet (not real app code, but demonstrates the logic)
class PhotosApp {
var isAuthenticated: Bool = false
func openHiddenAlbum() {
if !isAuthenticated {
requestAuthentication()
} else {
showHiddenPhotos()
}
}
func requestAuthentication() {
// Prompt for Face/Touch ID or passcode
if authenticateUser() {
isAuthenticated = true
showHiddenPhotos()
} else {
// Fail
}
}
}
The bug:
If isAuthenticated was set to true by viewing a *different* protected album and the state didn't reset, someone could just jump to "Hidden" and see everything. Or, if the app resumed from background and skipped the authentication check, the flag might accidentally show as true.
The Fix
Apple changed the Photos app to strictly re-check authentication state each time you open a protected album:
Why Is This Important?
If you use Apple's "Hidden" album to keep sensitive photos away from prying eyes, this vulnerability should be a wake-up call. Just locking your device isn't enough — always update your OS to get security patches. Anyone with unlocked physical access to your device before the fix could see private images you thought were protected.
Conclusion
CVE-2023-42845 is a clear example of how small logic bugs can lead to major privacy issues. Thanks to reports and Apple’s quick patch, the problem is resolved in the latest updates. If you have not updated to macOS 14.1, iOS 17.1, or iPadOS 17.1 or later, do it now!
Stay safe, keep your private info private, and always keep up with security updates.
Links
- Apple iOS 17.1 Security Content
- NVD Entry for CVE-2023-42845
Timeline
Published on: 10/25/2023 19:15:10 UTC
Last modified on: 11/02/2023 18:08:38 UTC