CVE-2014-4450

Vulnerability

The QuickType feature in the Keyboards subsystem of Apple iOS before 8.1 collects typing-prediction data from input fields even when the autocomplete attribute is set to off. This affects devices running iOS versions prior to 8.1, including iPhone 4s and later, iPod touch (5th generation) and later, and iPad 2 and later [1].

Exploitation

An attacker with the ability to read DOM input elements (e.g., via a malicious website or app) can discover credential values entered into fields where autocomplete is disabled. The QuickType feature inadvertently sends these credentials as part of its prediction data, making them accessible to the attacker. No authentication or special privileges are required beyond the ability to serve content to the user.

Impact

Successful exploitation leads to disclosure of sensitive information such as usernames and passwords, as the attacker can extract credential values from the collected typing-prediction data. The compromise is limited to information disclosure, but can expose user credentials to unauthorized parties.

Mitigation

The issue is addressed in iOS 8.1, released on October 20, 2014 [1]. Users should update their devices to iOS 8.1 or later. No workarounds are available for earlier versions.