An update that Apple will soon release for iOS 13 and iPadOS should resolve an issue that leads to third-party keyboard apps getting elevated permissions without the user’s approval.
In an advisory released on September 24 — first spotted by TechCrunch — Apple informed customers that it’s working on an update that should fix the issue.
The company explained that third-party keyboard extensions can run completely standalone and not access any external services, or they can request “full access” permissions, which enables them to provide extra features by connecting to a remote server.
However, there is a bug that leads to keyboards being granted full access permissions even if the user has not approved it. iPhone, iPad and iPod touch devices are affected.
A malicious keyboard app could exploit this, for example, to monitor everything that a user types and send it back to a remote server without the victim knowing as they have not been asked to grant full access permissions to the app.
“This issue does not impact Apple’s built-in keyboards. It also doesn’t impact third-party keyboards that don’t make use of full access. The issue will be fixed soon in an upcoming software update,” Apple said.
The tech giant informed users that they can check their devices for potentially affected third-party keyboards by going to Settings -> General -> Keyboard -> Keyboards.
These types of bugs can pose a serious security risk, but in this case the risk of exploitation for malicious purposes is relatively low. Attackers would have to develop a malicious keyboard extension, get Apple to approve it, and then convince the targeted user to install and use it.
The issue was discovered just days after iOS 13 was officially released, giving potential attackers only a small window for exploitation before the problem is fixed by Apple. Furthermore, the latest version of the mobile operating system supports swipe typing, which is one of the main reasons many users opted for third-party keyboards.
Related: Many iOS Developers Don’t Use Encryption: Report
Related: Google Researchers Find Remotely Exploitable Vulnerabilities in iOS
Related: iOS Vulnerabilities Allowed Attackers to Remotely Hack iPhones for Years

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- In Other News: AI Regulation, Layoffs, US Aerospace Attacks, Post-Quantum Encryption
- Evidence Suggests Ransomware Group Knew About MOVEit Zero-Day Since 2021
- Vulnerabilities in Honda eCommerce Platform Exposed Customer, Dealer Data
- Barracuda Urges Customers to Replace Hacked Email Security Appliances
- Google Patches Third Chrome Zero-Day of 2023
- ChatGPT Hallucinations Can Be Exploited to Distribute Malicious Code Packages
- AntChain, Intel Create New Privacy-Preserving Computing Platform for AI Training
- Several Major Organizations Confirm Being Impacted by MOVEit Attack
Latest News
- In Other News: AI Regulation, Layoffs, US Aerospace Attacks, Post-Quantum Encryption
- Blackpoint Raises $190 Million to Help MSPs Combat Cyber Threats
- Google Introduces SAIF, a Framework for Secure AI Development and Use
- ‘Asylum Ambuscade’ Group Hit Thousands in Cybercrime, Espionage Campaigns
- Evidence Suggests Ransomware Group Knew About MOVEit Zero-Day Since 2021
- SaaS Ransomware Attack Hit Sharepoint Online Without Using a Compromised Endpoint
- Google Cloud Now Offering $1 Million Cryptomining Protection
- Democrats and Republicans Are Skeptical of US Spying Practices, an AP-NORC Poll Finds
