Apple has recently addressed a significant vulnerability in its VoiceOver feature that raised privacy concerns for iPhone and iPad users. The flaw, identified as CVE-2024-44204, allowed the VoiceOver accessibility tool to read saved passwords out loud, a critical issue for users relying on this feature to navigate their devices without visual input. The bug was discovered in Apple’s native password management app, introduced in iOS 18.0. It impacted various models, including iPhones from the XS series and newer, as well as several iPads.
This issue was particularly concerning for users who store sensitive information in their password manager. Although the VoiceOver feature is off by default, those who activated it for accessibility reasons were at risk. Fortunately, Apple has resolved the issue in the iOS 18.0.1 update by improving the logic that controls how VoiceOver interacts with stored passwords.
In addition to the VoiceOver flaw, Apple also fixed another issue (CVE-2024-44207) related to audio messages, where iPhone 16 series devices could begin recording audio before users were aware, posing a further privacy risk. While both vulnerabilities were not remote exploits, they were significant enough to warrant immediate updates to protect user data.
Cybersecurity experts have praised Apple for addressing the issues promptly, highlighting the importance of updating devices to the latest software versions to prevent any misuse of these vulnerabilities. Users are encouraged to install the iOS 18.0.1 update as soon as possible to safeguard against potential risks.
For businesses and individuals using iPhones for sensitive work, these fixes underscore the importance of staying up to date with security patches, particularly as accessibility features can occasionally be exploited in unintended ways.
“We were very impressed with the service, I will say, the vulnerability found was one our previous organisation had not picked up, which does make you wonder if anything else was missed.”
Aim Ltd Chief Technology Officer (CTO)