Apple has released a new security update for iOS 18.0.1 and iPadOS 18.0.1 that addresses how accessibility features handle saved passwords. The following speculation details could have been accidentally leaked.
The company rarely shares details about security updates it releases, and this time is no exception – so there’s a lot about the vulnerability and the patch we don’t know.
However, it is thought that the problem could reveal a user’s saved passwords in a slightly embarrassing way – by reading them out loud.
VoiceOver and passwords
As we enter the realm of speculation, there are two things we should keep in mind. Apple has an accessibility feature called VoiceOver. This is a screen reader, built into several Apple products (macOS, tvOS and more), that users can use to ‘speak’ to the device and have the output spoken back to them. The other important thing here is that with iOS 18 and iPadOS 18, the company introduced a native password manager, which it called the Passwords app.
Therefore, the bug could be in one of these two apps, but since Apple hasn’t shared the details, it’s impossible to know.
Here’s what we do know: the vulnerability is being tracked as CVE-2024-44204 and still had no severity rating at the time of writing. It is described as a “logical problem” that has been solved with improved validation. It affects these devices:
iPhone XS and later
iPadPro 13-inch
iPad Pro 12.9-inch third generation and higher
iPad Pro 11-inch first generation and later
iPad Air third generation and later
iPad seventh generation and later
iPad mini fifth generation and later
The security community has long viewed passwords as an extremely weak way to protect digital valuables, mainly because users tend to keep passwords with factory defaults or create weak passwords that are easy to crack. Instead, they recommend setting up passphrases, biometrics, or multi-factor authentication (MFA).
Via The registry