CVE-2024-23255 in macOS
Summary
by MITRE • 03/08/2024
An authentication issue was addressed with improved state management. This issue is fixed in iOS 17.4 and iPadOS 17.4, macOS Sonoma 14.4. Photos in the Hidden Photos Album may be viewed without authentication.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 04/03/2026
The vulnerability described in CVE-2024-23255 represents a critical authentication flaw within Apple's Photos application that affects iOS 17.3 and iPadOS 17.3 systems. This issue stems from inadequate state management during the authentication process for the Hidden Photos Album feature, which is designed to securely store sensitive user media content. The flaw allows unauthorized access to protected photos without proper authentication, fundamentally undermining the security model that users expect when utilizing privacy-focused features. The vulnerability specifically impacts the transition state between authenticated and unauthenticated sessions, creating a window where the system fails to properly enforce access controls.
The technical implementation of this vulnerability can be categorized under CWE-285, which addresses improper authorization within software systems. The flaw manifests as a state management failure where the application does not properly validate authentication status when transitioning between different user interface states. When users navigate to the Hidden Photos Album, the system should require proper authentication before displaying content, but due to the flawed state handling, the authentication check may be bypassed or improperly validated. This issue aligns with ATT&CK technique T1566 which involves credential dumping and unauthorized access to protected resources, as the vulnerability enables unauthorized viewing of protected media content.
The operational impact of this vulnerability extends beyond simple privacy concerns to potentially expose sensitive personal information that users have explicitly protected through the Hidden Photos feature. Attackers could exploit this flaw to access private photographs, potentially including intimate or sensitive content that users have specifically hidden from normal view. The vulnerability affects all users of iOS 17.3 and iPadOS 17.3 who have utilized the Hidden Photos Album feature, creating a significant risk for individuals who rely on this functionality for privacy protection. The flaw demonstrates a critical failure in the application's security architecture where the state transition mechanism does not properly enforce access controls, potentially allowing attackers to gain unauthorized access to protected user data.
Apple addressed this vulnerability through the release of iOS 17.4 and iPadOS 17.4 updates, which include improved state management mechanisms for authentication processes. The fix involves enhancing the session validation logic to ensure that proper authentication is enforced before granting access to hidden photos, regardless of the user interface state transitions. Additionally, macOS Sonoma 14.4 includes the necessary security patches to address the same vulnerability. Organizations and individuals should immediately apply these updates to protect their systems from potential exploitation. The remediation addresses the root cause by implementing proper state validation checks that ensure authentication status is consistently verified during all transitions between application states, preventing the bypass condition that previously allowed unauthorized access to protected content. This vulnerability highlights the importance of robust state management in security-critical applications and demonstrates how seemingly minor implementation flaws can create significant security risks for user privacy.