CVE-2022-32918

Vulnerability

CVE-2022-32918 is a vulnerability in Apple's privacy preferences enforcement. It allows an app to bypass user-configured privacy settings. The issue exists in iOS versions prior to 16 and macOS versions prior to Ventura 13. The exact affected versions include all devices running prior versions.

Exploitation

An attacker would need to trick the user into installing a malicious app on their device. No special permissions are required; the app can leverage the vulnerability to ignore privacy preferences such as location, contacts, or camera access. The steps are not publicly detailed.

Impact

Successful exploitation allows an app to bypass Privacy preferences, potentially accessing sensitive user data without authorization. The impact includes unauthorized access to personal information such as contacts, photos, location, and other data protected by Privacy settings.

Mitigation

Apple addressed this issue with improved data protection in iOS 16, released September 12, 2022 [2], and macOS Ventura 13, released October 24, 2022 [1]. Users should update their devices to these versions immediately. No workarounds are available for unpatched versions.