VYPR
← All advisories
Unrated severityNVD Advisory· Published Jan 11, 2019· Updated Aug 6, 2024

CVE-2016-4644

CVE-2016-4644

Description

In iOS before 9.3.3, tvOS before 9.2.2, and OS X El Capitan before v10.11.6 and Security Update 2016-004, a downgrade issue existed with HTTP authentication credentials saved in Keychain. This issue was addressed by storing the authentication types with the credentials.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A downgrade issue in Apple Keychain credential storage across iOS, tvOS, and OS X allowed attackers to leak saved HTTP authentication credentials.

Vulnerability

A downgrade issue existed in the storage of HTTP authentication credentials in the Keychain of iOS before 9.3.3, tvOS before 9.2.2, and OS X El Capitan before v10.11.6 and Security Update 2016-004. The authentication type was not stored with the credentials, allowing a downgrade attack where the system would reuse saved credentials with a weaker authentication scheme.[1][2][3]

Exploitation

An attacker in a privileged network position (e.g., man-in-the-middle) could intercept network traffic and downgrade the authentication method. By forcing the client to use a weaker authentication scheme, the attacker could then capture the saved credentials when the client retries authentication.[3]

Impact

Successful exploitation could leak sensitive user information, specifically the saved HTTP authentication credentials. This could lead to unauthorized access to services or further compromise of user accounts.

Mitigation

Apple addressed this issue by storing the authentication types with the credentials in the Keychain. The fix is available in iOS 9.3.3, tvOS 9.2.2, and OS X El Capitan v10.11.6 / Security Update 2016-004, all released on July 18, 2016. Users should update their devices to the latest versions to prevent this vulnerability.

References
  1. About the security content of OS X El Capitan v10.11.6 and Security Update 2016-004 - Apple Support
  2. About the security content of iOS 9.3.3 - Apple Support
  3. About the security content of tvOS 9.2.2 - Apple Support

AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

4

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

3

News mentions

0

No linked articles in our index yet.