Article Details
Scrape Timestamp (UTC): 2024-10-04 12:00:27.121
Source: https://www.theregister.com/2024/10/04/apple_voiceover_password_bug/
Original Article Text
Click to Toggle View
Apple fixes bug that let VoiceOver shout your passwords. Not a great look when the iGiant just launched its first password manager. Apple just fixed a duo of security bugs in iOS 18.0.1 and iPadOS 18.0.1, one of which might cause users' saved passwords to be read aloud. It's hardly an ideal situation for the visually impaired. For those who rely on the accessibility features baked into their iGadgets, namely Apple's VoiceOver screen reader, now is a good time to apply the latest update. In typical Apple fashion, the company hasn't released much in the way of details about the first security issue, tracked as CVE-2024-44204, which makes it tougher to understand the conditions under which this vulnerability could be triggered, or how to avoid it until the update is applied. What we do know is that it was characterized as a logic issue, which Apple rectified by improving validation. The disclosure of the bug comes less than a month after iOS 18 and iPadOS 18 debuted. Ironically, this release included Apple's first native password manager, the Passwords app. It's unclear whether the issue was with the app itself or another area of the iOS/iPadOS 18 release, however, saved passwords are affected. Devices that need updating include: iPhone XS and later iPad Pro 13-inch iPad Pro 12.9-inch third generation and later iPad Pro 11-inch first generation and later iPad Air third generation and later iPad seventh generation and later iPad mini fifth generation and later A severity score has yet to be assigned to the bug, which is perhaps due to ongoing backlog issues at the National Vulnerability Database. Also included in the 18.0.1 update is a fix for another audio-based bug. CVE-2024-44207 only affects iPhone 16 – all models of the latest smartphone – but it captures more audio than the user interface indicates. The vulnerability is triggered when sending audio messages in iMessage. Apple users will know that when the microphone is enabled, a small orange dot will appear in the device's Dynamic Island to indicate that audio is being recorded. However, the latest fix addresses an issue whereby the iPhone 16 may in some cases capture a few seconds of audio before that orange indicator is displayed. This one isn't the most jaw-dropping bug to ever be fixed, though it will likely bother privacy-minded users, so it's well worth a fix. And fixed it was, with improved checks, Apple said.
Daily Brief Summary
Apple has recently updated iOS and iPadOS to version 18.0.1, fixing two significant security vulnerabilities.
One of the bugs allowed VoiceOver to potentially read aloud saved passwords, posing a privacy risk particularly for visually impaired users.
This issue arrives awkwardly soon after the launch of iOS 18, which introduced Apple’s own password management tool, Passwords app.
Details about the conditions or specific triggers for the password-disclosure vulnerability have not been fully disclosed by Apple.
Affected devices include a range of modern iPads and iPhones, starting from models like the iPhone XS and up.
The update also resolved an additional audio-related bug (CVE-2024-44207) affecting the iPhone 16, where the device captured audio slightly before indicating it was recording.
Apple has improved validations and checks with the latest software patch to mitigate these issues.
There is yet no severity score available for the disclosed vulnerabilities, possibly due to delays at the National Vulnerability Database.