IT Home News on February 1st, Apple’s security vulnerability that tracked the location of iPhone users without permission appears to have been fixed.
Apple previously released the official versions of iOS 16.3 and iPadOS 16.3 to the public, which included a list of security fixes, this time referring to content labeled CVE-2023-23503.
This CVE is listed under Apple Maps and has not been released publicly, but the number has been reserved for publication. IT Home learned that Apple’s release notes stated that “apps may bypass privacy preferences” and “resolved logic issues through improved state management.”
The flaw appears to allow location tracking regardless of user preferencesaccording to blogger Rodrigo Ghedin, at least one company has exploited the vulnerability.
A reader of Ghedin’s blog discovered that the Brazilian company iFood was spying on his location. Don’t know if this is intentional. This reader set iFood to never track location, but the company seems to be able to break through that.
The user was using iOS 16.2 at the time, reset the iPhone, and updated it as soon as iOS 16.3 was released.
It’s unclear if a reset or an update fixed the issue, but the user reported that iFood was no longer trackable. Ghedin said iFood was contacted, but they have yet to issue a statement.
The official version of iOS 16.3 was released in January of this year, introducing iCloud Advanced Data Protection, Apple ID Security Keys, and other enhancements, bug fixes, and security updates for the iPhone.