Apple has been known for its privacy and security and the company also prides itself in saying so. However, the recent days have been not so great for Apple regarding privacy and security. First of all, we heard last week that even Apple’s Siri assistant is recording private conversations of its users. Interestingly, these recordings are also heard by humans which are known to be Apple contractors. Later, Apple had to give a statement and the reports were found to be quite accurate.
Now, a new iMessage flaw has come to notice for people which was found by a Google security researcher. Apparently, this flaw has been present on iPhones running iOS 12.3 or lower. Also, the same flaw affects iPads, iPods and other iOS devices too. However, the said flaw has already been fixed by Apple in its iOS 12.4 release.
Talking about the iMessage flaw, Google researcher Natalie Silvanovich says that this flaw would allow potential attackers to remotely read contents of files stored on iPhones without requiring any user interaction. Natalie also created a proof of concept to show this flaw works. But she adds that this is just “a simple example to demonstrate the reach-ability of the class in Springboard. The actual consequences of the bug are likely more serious.”
This flaw has also been identified as CVE-2019-8646 where CVE stands for Common Vulnerabilities and exposures. This is similar to what Google lists as being fixed when releasing its monthly security patches. According to Natalie, this iMessage flaw is caused by the _NSDataFileBackedFuture class present which can be “deserialized even if secure coding is enabled”
Apple, in its iOS 12.4 release patched the flaw and did this “by preventing this class from being decoded unless it is explicitly added to the allow list. Better filtering of the file URL was also implemented.”. Since this iMessage flaw is now known to attackers, we advise everyone using iOS 12 to update to iOS 12.4 as soon as possible.