CVE-2018-4310

Vulnerability

CVE-2018-4310 is an access issue in Apple iOS and macOS that allowed a local app to read a persistent account identifier. The vulnerability existed in versions prior to iOS 12 and macOS Mojave 10.14. The issue was addressed with additional sandbox restrictions and improved entitlements. [1][2][3]

Exploitation

An attacker would need to have a malicious app installed on the affected device. The app could then access the persistent account identifier without requiring additional privileges or user interaction beyond the initial installation. The attack is local, meaning the attacker must already have code execution capabilities on the device through a downloaded app. [2]

Impact

A successful exploit allows the local app to read a persistent account identifier, which could be used to track or identify the user across sessions or apps. This is a confidentiality breach that could compromise user privacy. The impact is limited to information disclosure and does not grant code execution or system control. [2]

Mitigation

The issue is fixed in iOS 12, released on September 17, 2018, and in macOS Mojave 10.14, released on September 24, 2018. Users should update their devices to the latest version of iOS or macOS. There are no known workarounds for unpatched systems. [1][2][3]