In a recent update to one of its support documents, Apple has revealed that it patched two major security vulnerabilities with the release of iOS 15, which had the potential to expose users’ private Apple ID information to malicious third-party apps (via MacRumors).
Apple notes that one of those security flaws could also let apps override user Privacy preferences. When the company rolled out iOS 15 and iPadOS 15 in September, it introduced “additional sandbox restrictions on third-party applications” to patch the exploit.
Alongside iOS 15, watchOS 8 also patched a security exploit that could allow a third-party app to bypass Privacy preferences. Apple has not shared any more information regarding the specifics of the exploit and has not indicated if it was actively used.
Impact: A malicious application may be able to access some of the user’s Apple ID information, or recent in-app search terms
Description: An access issue was addressed with additional sandbox restrictions on third-party applications.
CVE-2021-30898: Steven Troughton-Smith of High Caffeine Content (@stroughtonsmith)
Entry added January 19, 2022
Apple has credited developer Steve Troughton-Smith for assisting it in finding and patching the vulnerability.