CVE-2023-28826

Vulnerability

A logic issue in the redaction mechanism of multiple Apple operating systems allowed an application to access sensitive user data that should have been obscured. The vulnerability is present in iOS 16.7.6 and iPadOS 16.7.6, macOS Monterey 12.7.4, macOS Sonoma 14.1, and macOS Ventura 13.6.5 [1][3][4]. The exact component is not disclosed by Apple, but the flaw resides in how sensitive information is redacted when an app interacts with system data.

Exploitation

An attacker must distribute or trick the user into running a malicious app on an affected device. No special network position or elevated privileges are required beyond the ability to install and execute an app. The app can then access system redacted data without proper authorization.

Impact

Successful exploitation allows a malicious app to access sensitive user data, such as personal information or credentials, that the system intended to protect. The compromise affects confidentiality, potentially leading to further privacy breaches.

Mitigation

Apple has released fixes in iOS 16.7.6 and iPadOS 16.7.6 (available for supported devices), macOS Monterey 12.7.4, macOS Sonoma 14.1, and macOS Ventura 13.6.5. Users should update their devices to the latest available version. No workarounds are provided.