CVE-2022-42792

Vulnerability

CVE-2022-42792 is a privacy vulnerability in the data protection logic of iOS 16.1 and iPadOS 16. An app may be able to read sensitive location information, bypassing the intended location access controls. The vulnerability exists in versions prior to iOS 16.1 and iPadOS 16, affecting iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later [1].

Exploitation

An app with no explicit location permission may be able to access sensitive location information without user consent. The exact attack vector is not detailed, but it likely involves the app exploiting a flaw in how iOS manages location data access, potentially through a crafted request or by leveraging another system service [1]. No authentication or special network position is required beyond the ability to run an app on the device.

Impact

Successful exploitation allows an app to read sensitive location information, violating user privacy. The attacker does not gain code execution or elevated privileges beyond what is permitted for apps, but the exposure of location data can lead to surveillance or tracking without the user's knowledge [1].

Mitigation

Apple addressed the issue with improved data protection in iOS 16.1 and iPadOS 16, released on October 24, 2022. Users should update their devices to these versions or later. As of the publication date, no workaround is available for unpatched devices [1].