Apple Maps, a bug allowed to collect the user location. If exploited, a privacy bug in Apple Maps, fixed with iOS 16.3, could have allowed other apps installed on the terminal to collect data on users’ locations without authorization.
The limitations of using Galaxy Watch 5 with non-Samsung smartphones
At least one app appears to have done so, and one reporter speculated that the same privacy bug could have been exploited by countless apps over an unknown period of time. Recall that iOS 16.3 was released in final version for all users last week, after a month of beta testing.
Apple’s iOS release notes don’t list all the bug fixes; instead, those relating to security are mostly covered in a separate document. Apple lists 12 different security patches, including one for a privacy bug found in Apple Maps:
Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later
Impact: An app may be able to bypass privacy preferences
Description: A logic issue was addressed through improved state handling.
CVE-2023-23503: An anonymous researcher
It appears to have been actively exploited
It’s not known how many apps exploited the Apple Maps bug, but it certainly appears that the bug is being actively exploited by at least one app. Brazilian journalist Rodrigo Ghedin reports that iFood, a Brazilian food delivery app, was able to access a user’s location in iOS 16.2 even when the user denied the app access to location.
Thus the iFood app was able to bypass the strict system checks. The questions raised by Arstechnica security writer Dan Goodin, then, are not to be underestimated:
How long has this vulnerability existed? What other apps have taken advantage of this? How much location data was collected?
There might have been massive amounts of location data collected without users suspecting a thing. Another user in the thread speculated that the bug could be related to when a user granted location access to an app and later revoked or restricted it (for example, from “Anytime” to “Only when using the app”) – with iOS not properly updating the list of apps that can access location data.
It’s unlikely Apple will comment on the news as the bug is currently listed as confidential, meaning details won’t be released at this time – wait a bit, probably when most iOS users have updated to iOS 16.3.
