CVE-2017-2384

Vulnerability

The vulnerability resides in the SQLite subsystem of the Safari component on iOS versions before 10.3 [1]. When a user deletes browsing history, the SQLite database is not properly handled, leaving traces that can reveal which websites were visited during Private Browsing sessions. The bug is present in all affected iOS versions prior to 10.3 [1].

Exploitation

An attacker must have local access to the device (e.g., physical possession or the ability to run code on the locked device). No user interaction is required beyond the initial creation of the private browsing data. The attacker can query the SQLite database remnants to enumerate visited URLs. The exact database file and query necessary are not fully disclosed in the references [1], but the condition is reachable because deletion does not clear all cached records.

Impact

A successful attack allows a local user to learn which websites were visited in Private Browsing mode, defeating the privacy guarantee intended by private browsing. The confidentiality of browsing history is breached, but no code execution, privilege escalation, or data modification is achieved. The attack does not compromise other data or system integrity [1].

Mitigation

Apple addressed the issue in iOS 10.3, released March 27, 2017 [1]. Users should update to iOS 10.3 or later to prevent the vulnerability. No workaround is available for earlier versions. The CVE is not listed as a KEV (Known Exploited Vulnerability) by CISA.