CVE CyberSecurity Database News

CVE-2023-42946 - How a Redaction Bug Could Leak Your Personal Data on Apple Devices

Poster -

Apple is famous for making devices that "just work"—and keep your stuff safe. But even the biggest names make mistakes. CVE-2023-42946 is one such mistake: a privacy bug that could let an app peek at sensitive user info that was supposed to be hidden. The good news? Apple fixed it in October 2023. Let’s look at what happened, how the bug worked, and what Apple did to shut the door.

What Is CVE-2023-42946?

CVE-2023-42946 is a vulnerability that affected Apple's operating systems:

iOS and iPadOS (iPhones and iPads)

The problem: Sometimes, when Apple's software was handling sensitive information—like passwords, tokens, or private data—it didn’t always hide (redact) it properly. So, an app might get access to more information than it should. This could mean passwords or private details could be logged, printed, or sent somewhere by mistake.

iPadOS 17.1

You can check your device’s version in Settings > General > About. If you’re running anything older than these, update right away!

How Could Apps See Hidden Info?

When apps or system processes handle sensitive data, they usually “redact” it before logging or sharing. Imagine a credit card number showing as “ 1234” instead of the full number.

The bug in CVE-2023-42946 happened because Apple's redaction process sometimes didn’t fully hide sensitive details, especially in error messages or debug logs. Malicious apps could get clever and ask the system to perform actions that triggered these poorly-redacted logs, then collect the outputs and extract private data.

Suppose a function handles a sensitive API key. The expected log should hide the real value

func logApiKey(_ apiKey: String) {
    let redactedKey = ""    // Should always show stars
    print("Using API Key: \(redactedKey)")
}

Bug Scenario:

In the bugged version, the code mistakenly logs the real key if an error occurs

func fetchData(with apiKey: String) {
    // ... some code ...
    if errorHappens {
        print("API failed. Key used: \(apiKey)") // 🔥 Sensitive key exposed!
    }
}

A malicious app could exploit this by causing errors on purpose, then read the device logs (if it has permission), grabbing sensitive info.

What Did Apple Do to Fix This?

Apple improved how and where it hides sensitive data. Now, system logs, error messages, and app outputs are better at making sure private things really stay private—even in tricky error cases.

If you love reading the official details, Apple’s advisories are here:
- Apple Security Updates for macOS
- Apple Security Updates for iOS/iPadOS
- CVE Page on Apple

How Could Attackers Use This?

An attacker couldn’t use CVE-2023-42946 to break into your phone instantly. But if you installed a fishy app or trusted a shady developer, they might write code to:

How To Stay Safe

It’s simple:

Only install apps from trusted sources (ideally, the App Store).

- Be careful with permissions and don’t jailbreak/root your device.

Summary

CVE-2023-42946 was a slip in how Apple hid private info. If you keep your devices updated, you’re already protected. But bugs like this remind us that even giants make mistakes—and quick security updates are our best defense.

Stay safe, and always keep your software up to date!

Further Reading

- Apple’s Official Advisory
- CVE Details: CVE-2023-42946
- Apple Security Updates


*If you liked this deep dive or have questions, drop them below!*

Timeline

Published on: 02/21/2024 07:15:51 UTC
Last modified on: 11/07/2024 15:35:06 UTC