Apple's iOS 16.3 update may fix unannounced location privacy bug
Apple's iOS 16.3 update may fix unannounced location privacy bug
An alleged security vulnerability that firms to track iPhone users’ location without permission has seemingly been fixed by Apple.
Apple released the iOS 16.3 and iPadOS 16.3 to the public with its usual list of security fixes, this time including a mention of what is labelled CVE-2023-23503.
Listed under Apple Maps, this CVE has not yet been published, but the number has been reserved in preparation for publication. Apple’s release notes say that “an app may be able to bypass Privacy preferences,” and that “a logic issue was addressed with improved state management.”
It appears that the vulnerability allowed location tracking regardless of a user’s preferences, and according to blogger Rodrigo Ghedin, at least one firm has exploited the fact.
One of Ghedin’s readers spotted that Brazilian firm iFood was allegedly monitoring his location. It’s not known whether this was deliberate or not, but the reader had iFood set to never track location, yet the company was seemingly able to do exactly that.
The reader was using iOS 16.2 at the time. He reset his iPhone and also updated to iOS 16.3 as soon as it was released.
It’s not now clear whether the reset or the update fixed the issue, but the reader reports that iFood has not been able to track him since. Ghedin says that he reached out to iFood but they have yet to provide a statement.