An update that Apple will soon release for iOS 13 and iPadOS should resolve an issue that leads to third-party keyboard apps getting elevated permissions without the user’s approval.
In an advisory released on September 24 — first spotted by TechCrunch — Apple informed customers that it’s working on an update that should fix the issue.
The company explained that third-party keyboard extensions can run completely standalone and not access any external services, or they can request “full access” permissions, which enables them to provide extra features by connecting to a remote server.
However, there is a bug that leads to keyboards being granted full access permissions even if the user has not approved it. iPhone, iPad and iPod touch devices are affected.
A malicious keyboard app could exploit this, for example, to monitor everything that a user types and send it back to a remote server without the victim knowing as they have not been asked to grant full access permissions to the app.
“This issue does not impact Apple’s built-in keyboards. It also doesn’t impact third-party keyboards that don’t make use of full access. The issue will be fixed soon in an upcoming software update,” Apple said.
The tech giant informed users that they can check their devices for potentially affected third-party keyboards by going to Settings -> General -> Keyboard -> Keyboards.
These types of bugs can pose a serious security risk, but in this case the risk of exploitation for malicious purposes is relatively low. Attackers would have to develop a malicious keyboard extension, get Apple to approve it, and then convince the targeted user to install and use it.
The issue was discovered just days after iOS 13 was officially released, giving potential attackers only a small window for exploitation before the problem is fixed by Apple. Furthermore, the latest version of the mobile operating system supports swipe typing, which is one of the main reasons many users opted for third-party keyboards.
Related: Many iOS Developers Don’t Use Encryption: Report
Related: Google Researchers Find Remotely Exploitable Vulnerabilities in iOS
Related: iOS Vulnerabilities Allowed Attackers to Remotely Hack iPhones for Years

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- Siemens License Manager Vulnerabilities Allow ICS Hacking
- CISA Releases Open Source Recovery Tool for ESXiArgs Ransomware
- ICS Cybersecurity Firm Opscura Launches With $9.4 Million in Series A Funding
- Patch Released for Actively Exploited GoAnywhere MFT Zero-Day
- VMware Says No Evidence of Zero-Day Exploitation in ESXiArgs Ransomware Attacks
- Critical Baicells Device Vulnerability Can Expose Telecoms Networks to Snooping
- SecurityWeek Analysis: Over 450 Cybersecurity M&A Deals Announced in 2022
- VMware ESXi Servers Targeted in Ransomware Attack via Old Vulnerability
Latest News
- Siemens License Manager Vulnerabilities Allow ICS Hacking
- UN Experts: North Korean Hackers Stole Record Virtual Assets
- Russian Admits in US Court to Laundering Money for Ryuk Ransomware Gang
- A Deep Dive Into the Growing GootLoader Threat
- CISA Releases Open Source Recovery Tool for ESXiArgs Ransomware
- Patient Information Compromised in Data Breach at San Diego Healthcare Provider
- Germany Appoints Central Bank IT Chief to Head Cybersecurity
- OpenSSL Ships Patch for High-Severity Flaws
