CVE-2018-1000123
Description
Cordova iOS Keychain plugin before commit 18233ca25d logs sensitive keychain data to iOS system logs, exposing credentials to local attackers.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Cordova iOS Keychain plugin before commit 18233ca25d logs sensitive keychain data to iOS system logs, exposing credentials to local attackers.
Vulnerability
The Ionic Team Cordova plugin cordova-plugin-ios-keychain before commit 18233ca25dfa92cca018b9c0935f43f78fd77fbf contains an information exposure through log files vulnerability (CWE-532) in the file CDVKeychain.m. The plugin writes keychain values (including login credentials and passwords) into iOS system logs via NSLog statements, without sanitizing sensitive data. Affected versions include all builds prior to the referenced fix commit [1]. The vulnerability is present in the CDVKeychain.m source file where logging of keychain data occurs.
Exploitation
An attacker must have access to the victim's iOS device logs. This can be achieved through physical access to the device (e.g., via USB debugging with Xcode or third-party tools that read system logs) or through malware already running on the device with privileges to read system logs. No authentication to the keychain itself is required; the exploit leverages the pre-existing logging mechanism. The attacker simply reads the system logs (e.g., through idevicesyslog or Xcode Console) to capture the plaintext keychain data that was inadvertently recorded [1].
Impact
Successful exploitation results in the disclosure of sensitive data stored in the iOS keychain, including login credentials, passwords, and potentially other confidential app data. This compromises the confidentiality of user credentials and can lead to unauthorized access to the user's accounts and services. The attacker gains no additional privileges on the device beyond the ability to read system logs, but the leaked credentials can be used for account takeover [1].
Mitigation
The vulnerability is fixed in commit 18233ca25dfa92cca018b9c0935f43f78fd77fbf. All users should upgrade to a version of the plugin that includes this commit or later. The developer patch removed the sensitive NSLog calls from CDVKeychain.m [1]. As of the publication date (2018-03-13), no workaround has been documented beyond applying the fix. The plugin is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
21.0.0, 2.0.0+ 1 more
- (no CPE)range: 1.0.0, 2.0.0
- (no CPE)range: < 18233ca25dfa92cca018b9c0935f43f78fd77fbf
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
0No linked articles in our index yet.