Recent Apple Updates Patch Privacy Vulnerabilities, One of Which Appears to Have Been Exploited
iFood, Brazilian largest food delivering app evaluated at USD 5.4 billion, was accessing his location when not open/in use, bypassing an iOS setting that restrict an app’s access to certain phone’s features. Even when the reader completely denied location access to it, iFood’s app continued to access his phone’s location.
We got intrigued: how was iFood getting away with this?
An educated guess was revealed by iOS 16.3 release notes, launched on January 23th. Apple mentions a security issue in Maps in that “an app may be able to bypass Privacy preferences”. It’s CVE-2023-23503, submitted by an anonymous researcher and, so far, “reserved” in CVE’s system — which means details are pending to be published.
Ghedin reports his source found iFood was no longer monitoring their location after updating to iOS 16.3, indicating this app may have been using this loophole or a similar one.
I wonder how long this vulnerability was in effect. There may have been massive amounts of location data that was collected without users suspecting a thing.
I do not want to spread fear or uncertainty, but it is hard to believe iFood would be the only app interested in using location data even if the user has opted out of it. There were several privacy-related bugs fixed in this most recent round of operating system updates.