Apple’s iOS and iPadOS updates are usually about squashing bugs and protecting your device from prying eyes. But sometimes, new versions ship with surprises. CVE-2024-44204 is a perfect example—a subtle logic issue in iOS 18 made it possible for your private saved passwords to be read aloud by VoiceOver, Apple’s screen-reading accessibility tool.
This post dives into what happened, how the bug worked, how you could trigger it, and why updating to iOS 18..1 is critical. We’ll also show a simple code test of the flaw and link you to the official details.
What is CVE-2024-44204?
CVE-2024-44204 is a security flaw affecting iOS and iPadOS devices. Its essence? A logic issue let a user’s saved passwords—normally hidden, masked, and protected—be read aloud by VoiceOver, the accessibility feature that narrates on-screen content to users.
Apple’s security bulletin is here:
https://support.apple.com/en-us/HT213984
The Logic Issue in Simple Words
Apple’s Notes or Password Manager is supposed to tightly control what VoiceOver can read. Even if you highlight a password, the VoiceOver audio should only narrate "dots," not the real secret. But due to a validation flaw, VoiceOver could sometimes access the actual password text—even when it was hidden from the screen.
This broke Apple's "what you see is what gets read aloud" rule. Anyone with access to your unlocked phone could enable VoiceOver and have your stored passwords read out, even if you never shared your phone password with them.
Listen: VoiceOver may read out the actual password (not just "dots" or obfuscated content).
Video Example:
[No public PoC video available as of this writing, due to responsible disclosure.]
While we can't upload malicious code, the logic can be tested with this Swift-style pseudocode
// Pseudo code: Simulated vulnerable password cell for iOS TableView
struct PasswordCell: View {
@State var password: String = "SuperSecret123!"
@State var isMasked: Bool = true
var body: some View {
HStack {
Text(isMasked ? String(repeating: "•", count: password.count) : password)
.accessibilityLabel(Text(isMasked ? String(repeating: "•", count: password.count) : password))
Button(isMasked ? "Show" : "Hide") {
isMasked.toggle()
}
}
}
}
.accessibilityLabel _should_ match the visual label.
- A logic error meant that even when isMasked == true, sometimes the real password string was read by VoiceOver instead of dots.
Actual Apple code is closed-source, but the above highlights the crux—a validation lapse in what gets read aloud vs. what is displayed.
Why Is CVE-2024-44204 Serious?
- Unlocked phone: Anyone with brief unsupervised access could turn on VoiceOver and instantly learn your passwords.
Accessibility tools should not leak secrets, even by audio.
- Companies increasingly use passcodes and passwords stored in keychains—this risked enterprise security if devices were left unattended.
Apple’s Fix: iOS & iPadOS 18..1
Apple responded quickly by validating that VoiceOver only reads the masked version unless the user intentionally requests reveal. The patch is in:
More info
- Apple security updates
- Full advisory for CVE-2024-44204
Update now. Go to Settings > General > Software Update.
- If you use VoiceOver, verify that passwords are only read as dots unless you tap “Show Password.”
Conclusion
CVE-2024-44204 is a reminder that even accessibility features can become security hazards when validation is skipped. This bug allowed a password to leave your device—not via malware or network hacks, but plain audio. Apple has quietly fixed it, but for anyone still on early iOS 18 or iPadOS 18, update immediately.
Stay vigilant, update your devices, and remember that convenience and security are forever wrestling in your pocket.
References
- Apple security advisories
- CVE Details for CVE-2024-44204
- Apple’s official statement on the issue
For more deep dives on real-life privacy and security lapses, [subscribe to our newsletter]!
*(Content exclusive and written in plain English for practical awareness.)*
Timeline
Published on: 10/04/2024 00:15:02 UTC
Last modified on: 10/04/2024 17:29:54 UTC