CVE-2023-42878 - How a Log Redaction Bug Exposed User Data on Apple Devices

Every year, Apple squashes hundreds of bugs. Most of these are minor, but now and then, a seemingly small flaw turns out to have a big impact. CVE-2023-42878 is one of those — a privacy issue affecting how Apple’s operating systems handled log files, putting sensitive user data at risk. Let's break down what happened, how it’s fixed, and provide some exclusive and simple insights, including sample exploit concepts and Apple’s own references.

What is CVE-2023-42878?

In September 2023, researchers discovered that Apple’s logging system wasn’t properly redacting sensitive information from application log files. That means an app could leave private user data behind in logs, and other apps, or even attackers, might access that data if they have the right permissions.

*iOS 17. and earlier*

- *iPadOS 17. and earlier/

*iPadOS 17.1*

Original reference: Apple Security Update – CVE-2023-42878

What’s a “Log Redaction Bug”?

Modern apps and OS components often use log files for debugging or record-keeping. When these logs include personal data — names, emails, locations, passwords, etc. — it’s critical that private parts get redacted (blacked out or replaced) if the logs are shared or accessed by untrusted apps.

CVE-2023-42878:
A flaw in Apple’s log-handling allowed more user data to remain in these logs than intended. If an app (malicious or simply careless) didn’t manually remove private information from the logs it writes, sensitive data could be left behind.

Suppose a weather app uses your current location, then logs it for debugging

let location = "Lat: 34.0522, Lon: -118.2437"
print("User location: \(location)")

If log redaction fails, that user's location can end up visible to any app that can access the logs.

1. Find Accessible Logs

Malicious apps installed on the same device can sometimes access system logs or their own sandboxed log files (with proper entitlements).

2. Parse for User Data

Attackers can scan through logs searching for patterns that look like emails, coordinates, or other secrets.

Conceptual Exploit in Swift

// This is simplified to demonstrate the point
import Foundation

let logFilePath = "/path/to/sandboxed/log.txt"
if let logContent = try? String(contentsOfFile: logFilePath) {
    let emailPattern = "[A-Za-z-9._%+-]+@[A-Za-z-9.-]+\\.[A-Z|a-z]{2,}"
    let regex = try! NSRegularExpression(pattern: emailPattern)
    let results = regex.matches(in: logContent, range: NSRange(logContent.startIndex..., in: logContent))
    for match in results {
        if let range = Range(match.range, in: logContent) {
            print("Found email: \(logContent[range])")
        }
    }
}

> *Note: On iOS, app sandboxing normally prevents access to other app's logs, but careless usage of shared folders or excessively broad logging could leak data even across apps.*

3. Exfiltrate Private Info

If any private user data is found, the app can send it to a remote attacker or misuse it locally.

Responsible Disclosure and Apple’s Fix

Apple addressed this issue by “improving private data redaction for log entries.” This means their frameworks now do a better job of stripping or masking sensitive information before any log data is written or visible to other apps or system services.

Read Apple’s advisory here:

https://support.apple.com/en-us/HT213970

How To Stay Safe

- Update your Apple devices to macOS Sonoma 14.1, iOS 17.1, iPadOS 17.1, or watchOS 10.1 (or later).

Be careful what apps you install, especially those asking for unnecessary permissions.

- App developers: Always sanitize sensitive data before writing to any logs! Never rely solely on "the system" for privacy.

Example: Safer Logging in Swift (App Developers)

func logUserData(email: String) {
    print("User logged in with email: [REDACTED]")
}

Conclusion

CVE-2023-42878 is a stark reminder: Small oversights, like poor log management, can lead to serious privacy problems. Apple has put a fix in place, but every developer and user plays a part in keeping data private. Update your system and think carefully about where your data lands!

References:
- CVE-2023-42878 (Apple)
- NIST National Vulnerability Database Entry


Stay safe!
If you found this explanation helpful, consider sharing it with your Apple-using friends.

Timeline

Published on: 02/21/2024 07:15:50 UTC
Last modified on: 11/21/2024 16:15:20 UTC