Security Experts:

Connect with us

Hi, what are you looking for?


Data Protection

Apple Patches iOS 13 Bug Allowing Third-Party Keyboards “Full Access”

Apple on Friday released security updates for iOS 13 and iPadOS to address a vulnerability that allowed third-party keyboard extensions to gain “full access” without being granted permission.

Apple on Friday released security updates for iOS 13 and iPadOS to address a vulnerability that allowed third-party keyboard extensions to gain “full access” without being granted permission.

The bug, Apple revealed earlier this week, only impacts devices where third-party keyboards request full access permissions, but does not affect Apple keyboards or third-party keyboards that don’t make use of full access. Full access permissions allow an app to fetch resources from a remote server.

In iOS, third-party keyboard extensions can also be designed to run entirely standalone, meaning that they won’t have access to external services.

The security flaw, which is tracked as CVE-2019-8779, could allow a malicious keyboard app to record everything the user types and send the information to the attacker’s server.

However, the risk of exploitation would be relatively low, as such a keyboard would first have to go through the Apple approval process and then downloaded and installed by the victims.

On Friday, Apple announced the release of iOS 13.1.1 and iPadOS 13.1.1, which address the issue by applying the correct sandbox restrictions to third-party app extensions.

The update, which arrived only days after the release of iOS 13, is being delivered to iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation.

Earlier this week, Apple addressed another issue in iOS 13, which provided access to contacts to anyone with physical access to the device, directly from the lockscreen (CVE-2019-8775).

On Thursday, the Cupertino-based tech company released security updates for macOS, watchOS, and iOS 12.4.1.

The newly released macOS Mojave 10.14.6 Supplemental Update 2, the High Sierra Security Update 2019-005, and the Sierra Security Update 2019-005 address an out-of-bounds read vulnerability that could allow an attacker to cause unexpected application termination or arbitrary code execution.

Tracked as CVE-2019-8641 and discovered by Samuel Groß and Natalie Silvanovich of Google Project Zero, the security flaw was addressed with improved input validation.

The same vulnerability was addressed in iOS and watchOS as well, with the release of iOS 12.4.2 and watchOS 5.3.2.

These two updates are rolling out for macOS Sierra 10.12.6, macOS High Sierra 10.13.6, and macOS Mojave 10.14.6, iPhone 5s, iPhone 6, iPhone 6 Plus, iPad Air, iPad mini 2, iPad mini 3, and iPod touch 6th generation, and Apple Watch Series 1 and Apple Watch Series 2.

Related: iOS 13 Bug Gives Third-Party Keyboards “Full Access” Permissions

Related: Many iOS Developers Don’t Use Encryption: Report

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.


Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.


Several vulnerabilities have been patched in OpenText’s enterprise content management (ECM) product.