CVE-2017-2397

Vulnerability

The issue resides in the Accounts component of Apple iOS before version 10.3. Under certain conditions, when an iCloud authentication prompt is triggered, it is presented on the lock screen instead of being hidden until the device is unlocked. This prompt includes the user's Apple ID, allowing anyone with physical access to the device to view the email address associated with the account. The vulnerability affects iPhone 5 and later, iPad 4th generation and later, and iPod touch 6th generation and later [1].

Exploitation

An attacker must have physical proximity to the locked device. No authentication, user interaction, or special privileges are required beyond the ability to view the screen. The attack sequence involves simply reading the Apple ID displayed in the iCloud authentication prompt that appears on the lock screen when the system requires re-authentication [1].

Impact

Successful exploitation results in disclosure of the victim's Apple ID (email address). The information gain is limited to the Apple ID itself; no additional device access or data exfiltration is achieved. The confidentiality of the Apple ID is compromised, which could potentially be used for social engineering or phishing attacks [1].

Mitigation

Apple addressed the issue in iOS 10.3, released on March 27, 2017. The fix removes iCloud authentication prompts from the lock screen entirely. Users should update to iOS 10.3 or later via Settings > General > Software Update. No workaround is available for affected versions. The vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog [1].