CVE-2024-44127

Vulnerability

A state management issue in Safari's Private Browsing mode on iOS and iPadOS allowed unauthorized access to private browsing tabs when the device was locked. This affects devices running iOS/iPadOS versions prior to 17.7 and 18. The vulnerability is present in iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 7th generation and later, and iPad mini 5th generation and later for the 18 update; and iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, and iPad mini 5th generation and later for the 17.7 update.

Exploitation

An attacker with physical access to a locked device could bypass the lock screen and view the contents of Private Browsing tabs without entering the device passcode. No additional authentication or user interaction is required beyond the device being locked.

Impact

Successful exploitation leads to unauthorized disclosure of private browsing data, including visited URLs and potentially sensitive information from open tabs. The attacker gains access to the user's private browsing session without authentication, compromising confidentiality.

Mitigation

Apple addressed this issue in iOS 17.7 and iPadOS 17.7, and iOS 18 and iPadOS 18, released on September 16, 2024 [1][2]. Users should update their devices to the latest available version. No workarounds are documented; updating is the only mitigation.