With the release of iOS 15 and iPadOS 15, Apple has closed two important security vulnerabilities that could lead to private Apple ID data and in-app search history being viewed by malicious third-party apps. It would also be possible to bypass a user's privacy settings.
With most iOS, macOS, tvOS and watchOS updates, Apple provides a list of security vulnerabilities that are fixed with updates. There is a separate Area on Apple's website, which is occasionally updated with new entries once the investigation into a specific vulnerability has been completed. With iOS 15 and iPadOS 15 (officially available since September 2021), "additional sandbox restrictions for third-party programs" were introduced. The whole thing was discovered by developer Steve Troughton-Smith. The latest entry states:
iOS 15 & iPadOS 15: Updates are strongly recommended
- Impact: A malicious application may be able to access some of the user's Apple ID information or recent in-app search terms.
- Description: An access issue was addressed by adding sandbox restrictions for third-party applications.
- CVE-2021-30898: Steven Troughton-Smith of High Caffeine Content (@stroughtonsmith)
It is not known whether this particularly dangerous vulnerability was actually exploited. Apple itself has at least not provided any information on this. In addition to the security hole mentioned above, another vulnerability has been patched under iOS 15, iPadOS 15 and watchOS 8 that could allow a third-party app to bypass data protection settings. In view of the latest information, users who are still using iOS 14 or iPadOS 14 are strongly advised to update to iOS 15 or iPadOS 15. (Photo by KanawatVector / Bigstockphoto)
