Security Experts:

Connect with us

Hi, what are you looking for?


Data Protection

Apple Patches iOS 13 Bug Allowing Third-Party Keyboards “Full Access”

Apple on Friday released security updates for iOS 13 and iPadOS to address a vulnerability that allowed third-party keyboard extensions to gain “full access” without being granted permission.

Apple on Friday released security updates for iOS 13 and iPadOS to address a vulnerability that allowed third-party keyboard extensions to gain “full access” without being granted permission.

The bug, Apple revealed earlier this week, only impacts devices where third-party keyboards request full access permissions, but does not affect Apple keyboards or third-party keyboards that don’t make use of full access. Full access permissions allow an app to fetch resources from a remote server.

In iOS, third-party keyboard extensions can also be designed to run entirely standalone, meaning that they won’t have access to external services.

The security flaw, which is tracked as CVE-2019-8779, could allow a malicious keyboard app to record everything the user types and send the information to the attacker’s server.

However, the risk of exploitation would be relatively low, as such a keyboard would first have to go through the Apple approval process and then downloaded and installed by the victims.

On Friday, Apple announced the release of iOS 13.1.1 and iPadOS 13.1.1, which address the issue by applying the correct sandbox restrictions to third-party app extensions.

The update, which arrived only days after the release of iOS 13, is being delivered to iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation.

Earlier this week, Apple addressed another issue in iOS 13, which provided access to contacts to anyone with physical access to the device, directly from the lockscreen (CVE-2019-8775).

On Thursday, the Cupertino-based tech company released security updates for macOS, watchOS, and iOS 12.4.1.

The newly released macOS Mojave 10.14.6 Supplemental Update 2, the High Sierra Security Update 2019-005, and the Sierra Security Update 2019-005 address an out-of-bounds read vulnerability that could allow an attacker to cause unexpected application termination or arbitrary code execution.

Tracked as CVE-2019-8641 and discovered by Samuel Groß and Natalie Silvanovich of Google Project Zero, the security flaw was addressed with improved input validation.

The same vulnerability was addressed in iOS and watchOS as well, with the release of iOS 12.4.2 and watchOS 5.3.2.

These two updates are rolling out for macOS Sierra 10.12.6, macOS High Sierra 10.13.6, and macOS Mojave 10.14.6, iPhone 5s, iPhone 6, iPhone 6 Plus, iPad Air, iPad mini 2, iPad mini 3, and iPod touch 6th generation, and Apple Watch Series 1 and Apple Watch Series 2.

Related: iOS 13 Bug Gives Third-Party Keyboards “Full Access” Permissions

Related: Many iOS Developers Don’t Use Encryption: Report

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Data Protection

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.