Apple has recently addressed two security vulnerabilities in their iPhone and iPad devices that could have potentially compromised user privacy. The first bug, related to the VoiceOver accessibility feature, had the potential to expose sensitive passwords by reading them out loud. The second bug affected the recording of voice messages on new iPhone models, allowing audio capture to begin before users were aware they were being recorded.
To rectify these issues, Apple has released new operating system versions for both iOS and iPadOS (18.0.1), which include fixes for the vulnerabilities. Users are advised to update their devices promptly to ensure they are protected from potential security risks.
Michael Covington, the vice president of portfolio strategy for Jamf, emphasized that while these bugs do not involve remote exploits, they still pose a threat to user privacy. He recommended that businesses using mobile devices for work closely monitor the security issues and implement necessary updates promptly.
The first vulnerability, related to VoiceOver, allowed the accessibility feature to read out passwords stored in the “Passwords” app introduced in iOS and iPadOS 18. This logic issue affected a wide range of iPhone and iPad models released since 2018. Covington highlighted that misuse of accessibility features has been observed in the past, emphasizing the importance of thorough security and privacy testing to prevent such incidents.
The second bug, concerning the premature recording of audio messages, impacted all models of the new iPhone 16. Users could unknowingly have a few seconds of audio captured before realizing their microphone was active. While seemingly a minor issue, Covington pointed out the potential implications of such vulnerabilities in the hands of attackers seeking to maintain a presence on compromised devices.
At present, neither of these vulnerabilities have been assigned a rating in the Common Vulnerability Scoring System (CVSS), and further details remain undisclosed. Nonetheless, Apple’s proactive approach to addressing these security flaws is commendable in safeguarding user privacy and device integrity.