https://www.darkreading.com/cyber-risk/iphone-voiceover-feature-read-passwords-aloud
Apple has released updates (iOS and iPadOS 18.0.1) to address two privacy-related security vulnerabilities in its mobile operating system.
VoiceOver Reading Passwords Aloud
The first bug, CVE-2024-44204, impacted the VoiceOver accessibility feature. In certain situations, VoiceOver could potentially read passwords aloud, compromising user privacy. This issue affected iPhones and iPads released since 2018.
Early Voice Message Recording
The second vulnerability, CVE-2024-44207, is specific to the new iPhone 16 models. This bug allowed audio messages to capture a few seconds of sound before the microphone indicator activated, potentially recording users without their knowledge.
Updates Available, Businesses Advised to Patch
Apple has addressed both vulnerabilities with improved validation and system checks. Security experts recommend that all users update their devices to iOS/iPadOS 18.0.1 as soon as possible. Businesses that rely on mobile devices are advised to prioritize patching these vulnerabilities to protect user privacy and corporate data.
Accessibility Features and Security
While these vulnerabilities highlight potential misuses of accessibility features, experts point out that such instances are uncommon. Apple typically conducts rigorous security testing on accessibility features to minimize these risks.
Lessons Learned
These vulnerabilities serve as a reminder for users to be mindful of the information displayed on their devices, especially when using accessibility features. Additionally, the early voice message recording bug underscores the importance of clear visual indicators when devices are capturing audio or video.