Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Data Protection

Apple Patches iOS 13 Bug Allowing Third-Party Keyboards “Full Access”

Apple on Friday released security updates for iOS 13 and iPadOS to address a vulnerability that allowed third-party keyboard extensions to gain “full access” without being granted permission.

Apple on Friday released security updates for iOS 13 and iPadOS to address a vulnerability that allowed third-party keyboard extensions to gain “full access” without being granted permission.

The bug, Apple revealed earlier this week, only impacts devices where third-party keyboards request full access permissions, but does not affect Apple keyboards or third-party keyboards that don’t make use of full access. Full access permissions allow an app to fetch resources from a remote server.

In iOS, third-party keyboard extensions can also be designed to run entirely standalone, meaning that they won’t have access to external services.

The security flaw, which is tracked as CVE-2019-8779, could allow a malicious keyboard app to record everything the user types and send the information to the attacker’s server.

However, the risk of exploitation would be relatively low, as such a keyboard would first have to go through the Apple approval process and then downloaded and installed by the victims.

On Friday, Apple announced the release of iOS 13.1.1 and iPadOS 13.1.1, which address the issue by applying the correct sandbox restrictions to third-party app extensions.

The update, which arrived only days after the release of iOS 13, is being delivered to iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation.

Earlier this week, Apple addressed another issue in iOS 13, which provided access to contacts to anyone with physical access to the device, directly from the lockscreen (CVE-2019-8775).

Advertisement. Scroll to continue reading.

On Thursday, the Cupertino-based tech company released security updates for macOS, watchOS, and iOS 12.4.1.

The newly released macOS Mojave 10.14.6 Supplemental Update 2, the High Sierra Security Update 2019-005, and the Sierra Security Update 2019-005 address an out-of-bounds read vulnerability that could allow an attacker to cause unexpected application termination or arbitrary code execution.

Tracked as CVE-2019-8641 and discovered by Samuel Groß and Natalie Silvanovich of Google Project Zero, the security flaw was addressed with improved input validation.

The same vulnerability was addressed in iOS and watchOS as well, with the release of iOS 12.4.2 and watchOS 5.3.2.

These two updates are rolling out for macOS Sierra 10.12.6, macOS High Sierra 10.13.6, and macOS Mojave 10.14.6, iPhone 5s, iPhone 6, iPhone 6 Plus, iPad Air, iPad mini 2, iPad mini 3, and iPod touch 6th generation, and Apple Watch Series 1 and Apple Watch Series 2.

Related: iOS 13 Bug Gives Third-Party Keyboards “Full Access” Permissions

Related: Many iOS Developers Don’t Use Encryption: Report

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...