CVE-2024-27807

Vulnerability

Overview

CVE-2024-27807 is a privacy bypass vulnerability affecting Apple iOS and iPadOS. The issue allows an application to circumvent the App Privacy Report logging mechanism, which is designed to track and display how apps access user data such as location, camera, microphone, and contacts [1]. Apple addressed the flaw with improved checks in iOS 16.7.8, iPadOS 16.7.8, iOS 17.5, and iPadOS 17.5 [1].

Exploitation

The vulnerability requires local access to the device; an app running on the device can exploit the bug without any special privileges beyond what a normal app would have [1]. No user interaction is needed beyond installing or running the malicious app. The attack surface is limited to physical devices or those where an app can be installed, such as via the App Store or side-loading.

Impact

By bypassing App Privacy Report logging, a malicious app could covertly collect sensitive user data without the user's awareness, as the privacy report would not record the access. This undermines a key transparency feature intended to give users insight into app behavior [1].

Mitigation

Apple has released security updates for the affected versions. Users should update to iOS 16.7.8 or later (for older devices) or iOS 17.5 / iPadOS 17.5 (for newer devices) [1][4]. No workarounds are available; applying the update is the only complete mitigation.