In this long-read post, we discuss CVE-2023-42939, recently discovered logic issue where a user's private browsing activity may be unexpectedly saved in the App Privacy Report on iOS 17.1 and iPadOS 17.1 devices. We will provide insights on the exploit details, code snippets, and links to original references.

Exploit Details

CVE-2023-42939 is a logic issue in Apple's iOS 17.1 and iPadOS 17.1 that deals with an unintended storage of private browsing data, violating users' privacy. A user's browsing activity in the 'Private' mode is not supposed to be logged or saved in any form. However, this vulnerability allows the App Privacy Report to save private browsing details, thereby rendering the Private mode somewhat ineffective.

Code Snippet

The exact code related to the vulnerability has not been released publicly, as it may lead to malicious usage. However, understanding the flow and reasoning behind the issue can help developers prevent such mistakes in the future. In simple terms, the pseudo-code for this error would look something like the following:

if (isPrivateBrowsingEnabled) {
  // Continue with private browsing, do not log activity to the App Privacy Report
} else {
  // Log activity to the App Privacy Report
}

However, the vulnerability occurs due to flawed logic in the implementation, perhaps an incorrect condition, which causes the unintended entry of private browsing data into the App Privacy Report.

Original References

Apple has acknowledged this issue in its official security content for iOS 17.1 and iPadOS 17.1. You can find the complete details here:
- Apple Security Content for iOS 17.1
- Apple Security Content for iPadOS 17.1

Solution

Fortunately, Apple has fixed this issue in iOS 17.1 and iPadOS 17.1, by addressing the logic problem with improved checks. To ensure your device is safe from this vulnerability, it is highly recommended to update your device to iOS 17.1 or iPadOS 17.1.

Conclusion

In conclusion, it is essential to regularly update your devices to the latest software versions, as they contain fixes for known vulnerabilities like CVE-2023-42939, which could potentially compromise users' privacy. Keeping your device up-to-date ensures that you are protected against security threats.

Timeline

Published on: 02/21/2024 07:15:50 UTC
Last modified on: 12/03/2024 20:42:07 UTC