CVE-2010-1809

Vulnerability

In iOS versions 3.0 through 4.0.2 on iPhone 3GS and later, and iPod touch (3rd generation), the VoiceOver accessibility feature does not announce the presence of the location services icon that appears next to an application that has requested the user’s location within the last 24 hours [1]. This issue resides in the settings panel for Location Services and affects users who rely on VoiceOver for device navigation.

Exploitation

No active exploitation by a remote attacker is required; the issue manifests when a visually impaired user interacts with the Location Services settings using VoiceOver. The icon is displayed but not announced by VoiceOver, so the user may not be aware that a specific app recently accessed their location. The scenario depends on the user’s accessibility configuration and an app having requested location data within the previous day.

Impact

Visually impaired users may not receive auditory feedback indicating that an application has used location services, potentially allowing an app to access location data without the user’s knowledge through the accessibility feature failure. The confidentiality of location privacy is compromised due to the missing accessibility announcement.

Mitigation

Apple addressed this issue in iOS 4.1, released on September 8, 2010 [1]. Users should update their devices to iOS 4.1 or later via iTunes. No workarounds are documented for unsupported versions.