CVE-2025-24141 - Breaking Down the iOS Unlocked Device Photos Bug—Exploiting Auth Failures with Physical Access
---
Apple regularly patches security bugs, but some issues are both rare and important to understand. In January 2025, Apple addressed a sneaky authentication problem affecting iOS and iPadOS devices. Tracked as CVE-2025-24141, this vulnerability could let someone with your device in-hand see private photos, even if the Photos app should be locked.
Let's take a simple, step-by-step look at the vulnerability, see some sample code concepts behind state management issues, and understand how this bug was exploited. If you want to dig deeper, check the Apple security release notes for iOS/iPadOS 18.3.
☠️ What is CVE-2025-24141?
CVE-2025-24141 is an authentication flaw in Photos app state management on iPhones and iPads, fixed in iOS 18.3/iPadOS 18.3. It only affects devices that are already unlocked—so the attacker must have physical access and the device’s lock screen must be bypassed (for example, if you leave your phone unattended while unlocked).
Impact:
With your unlocked device in hand, an attacker could access the Photos app's contents, _even if you previously "locked" the app_ using App Lock, Screen Time, or any in-app content restriction.
Cause:
Bad state management around authentication. The Photos app did not always check or enforce that access restrictions were active, leading to a bypass.
You have your personal photos protected—maybe with App Lock or Screen Time code.
3. Your friend manages—via a specific sequence of actions—to open the Photos app and browse your pics despite the lock!
This is possible because the Photos app failed to correctly track whether authentication(s) were needed. Once your device was unlocked, an attacker could skip the extra authorization the Photos app should have required.
💻 State Management Gone Wrong—Sample Pseudocode
Here’s a simplified code snippet inspired by a typical state check in an app.
// -- BAD PATTERN: Authentication State Check Fails
var isPhotosLocked: Bool = true
func openPhotosApp() {
if deviceUnlocked {
// Logical error: device unlock doesn't mean photos should be unlocked
isPhotosLocked = false
}
if isPhotosLocked {
promptForPassword() // Should always call this!
} else {
showPhotosLibrary()
}
}
// Correct way: Always check app-specific lock, not just device lock!
func openPhotosAppSecure() {
if photosAppLocked {
promptForPassword()
} else {
showPhotosLibrary()
}
}
The bug in iOS seems to have let the app _think_ that device authentication was enough, skipping the actual in-app lock.
Opens the Photos app, which appears “locked” behind a PIN, Face ID, or Screen Time restriction.
3. Manipulates the app (via multitasking, quick app switches, force-quit/launch) so the app skips the lock screen after a crash or resume.
Can now browse or share all photos, even sensitive ones.
🧑💻 On iOS 18.2 and earlier, this "locked app bypass" was trivial with physical access.
Apple improved Photos’ state management in iOS 18.3
- The app now checks its own locked state and requires re-authentication even if the device is already unlocked.
- Bypasses (like force-quitting, using multitasking, or app relaunches) can no longer skip the lock screen.
If you use any lock functions on Photos (or any other Apple app), update to iOS/iPadOS 18.3 immediately!
📚 References & Further Reading
- Apple Security Updates: About CVE-2025-24141
- iOS & iPadOS 18.3 Release Notes
- OWASP: Broken Authentication and Session Management
🧐 Conclusion (TL;DR)
- CVE-2025-24141: A bug let people access your Photos if they had your unlocked device, ignoring app-level locks.
- Fixed in: iOS/iPadOS 18.3.
Timeline
Published on: 01/27/2025 22:15:18 UTC
Last modified on: 01/30/2025 18:03:08 UTC