CVE-2025-24143 - How a File System Access Flaw in WebKit Allowed Fingerprinting on Apple Devices
Apple products are known for their tight security, but even the best can have weaknesses. In early 2025, a new security flaw, CVE-2025-24143, was discovered affecting Apple devices using WebKit — the backbone of Safari and many other browsers on macOS, iOS, iPadOS, and visionOS.
Let’s break down what this vulnerability was, how it worked, and how Apple fixed it. We’ll also include real-world code snippets and resources if you want to dive deeper.
What is CVE-2025-24143?
CVE-2025-24143 is a vulnerability in WebKit that allowed a malicious website to access certain parts of the file system in a way it wasn’t supposed to. This flaw let bad actors fingerprint (and potentially track) users just by getting them to visit a crafted webpage.
visionOS 2.2 and earlier
Fixed in:
How Did the Vulnerability Work?
The heart of CVE-2025-24143 was improper file system access restrictions in WebKit. A webpage shouldn’t be able to tell anything about your device’s file system, but because of this bug, it could.
By exploiting subtle differences in how Safari responded to file system queries (for example, via the File System Access API), attackers could infer details about a user’s device — like what apps they had installed, OS version, or even user habits.
This was mainly used for *fingerprinting*: building a unique profile of a device or user without their consent.
Example: The Code in Action
Here’s a basic JavaScript snippet that could have been used to exploit the vulnerability. Remember: this is for educational purposes only.
// Attempt to detect if a sensitive folder or file exists
// This should NOT work, but due to CVE-2025-24143, it could leak info
async function checkFileSystemFingerprint() {
try {
// Try to access some unusual but common Apple-only folders
const dirs = [
'/Users/Shared/.apple_config',
'/private/var/mobile/Containers/Data/Application'
];
let result = "";
for (const dir of dirs) {
let handle = await window.showDirectoryPicker({startIn: dir});
if (handle) {
result += Accessible: ${dir}\n;
} else {
result += Not Accessible: ${dir}\n;
}
}
return result;
} catch (e) {
return "Could not access file system (expected behavior)";
}
}
checkFileSystemFingerprint().then(console.log);
Older Safari versions (pre-18.3) could leak folder access details to JavaScript, helping websites “fingerprint” you.
Installation of specific apps (via app-created folders)
- OS version (inferred by which files/directories exist)
Device usage habits
This might not sound dangerous at first, but combined with other fingerprinting tricks, it becomes a powerful way to track users across sites, defeating private browsing modes.
How Did Apple Fix It?
Apple patched the bug by tightening access restrictions to the file system API. Now, attempts to peek into restricted directories (even indirectly) are blocked, and the browser returns the same generic error every time.
So, if you’re running macOS Sequoia 15.3, iOS/iPadOS 18.3, visionOS 2.3, or Safari 18.3 or later, you are protected!
Links and Further Reading
- Apple Security Updates (Official)
- Apple CVE-2025-24143 Security Advisory
- WebKit Blog: Security Improvements
- OWASP: Browser Fingerprinting
Conclusion
CVE-2025-24143 is a good reminder that even small oversights in a browser’s file system can give malicious sites tools to track you. Apple’s quick fix keeps users safe — but only if you keep your devices updated.
Stay secure, stay updated — and if you’re curious, check those links above to see what else is being improved in your favorite browser!
Timeline
Published on: 01/27/2025 22:15:18 UTC
Last modified on: 02/04/2025 22:15:42 UTC