CVE-2024-40852 in iOS
Summary
by MITRE • 09/17/2024
This issue was addressed by restricting options offered on a locked device. This issue is fixed in iOS 18 and iPadOS 18. An attacker may be able to see recent photos without authentication in Assistive Access.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 03/19/2025
This vulnerability represents a critical security flaw in Apple's iOS and iPadOS operating systems that allowed unauthorized access to recent photos through the Assistive Access feature. The issue stems from insufficient authentication controls when a device is locked, specifically within the Assistive Access functionality that is designed to provide accessibility services to users with disabilities. The vulnerability exists because the system failed to properly enforce authentication requirements when accessing certain device features, creating a pathway for attackers to bypass normal security measures and view recent photos without proper authorization. This represents a significant breach of the principle of least privilege and demonstrates a failure in the device's access control mechanisms.
The technical nature of this vulnerability involves the improper handling of access controls within the Assistive Access framework, which is typically intended to provide controlled access to device functions for users with disabilities. When a device is locked, the system should maintain strict access controls to prevent unauthorized viewing of sensitive content including photos. However, the flaw allowed attackers to leverage the Assistive Access feature to bypass these security restrictions and gain access to recent photos stored on the device. This vulnerability aligns with CWE-284, which addresses improper access control, and demonstrates how accessibility features can inadvertently create security weaknesses when not properly secured. The flaw essentially created a backdoor through which unauthorized users could access device content that should remain protected by the device's lock screen security mechanisms.
The operational impact of this vulnerability is severe as it allows attackers to potentially access sensitive personal information without requiring device passcodes or biometric authentication. The ability to view recent photos without authentication creates significant privacy risks for users, as these images often contain personal, sensitive, or confidential information. This vulnerability particularly affects users who rely on Assistive Access features, but the implications extend to all device users since the flaw exists within the core operating system security architecture. The issue represents a serious threat to user privacy and could enable identity theft, social engineering attacks, or other malicious activities that exploit the personal information contained in recent photos. According to ATT&CK framework, this vulnerability maps to T1566 (Phishing) and T1070 (Indicator Removal on Host) as attackers could use this access to gather intelligence or cover their tracks.
The fix for this vulnerability required Apple to implement stricter access controls within the Assistive Access feature, ensuring that device lock screen protections remain effective regardless of which accessibility features are being utilized. The remediation involved restricting the options available when a device is locked, specifically preventing unauthorized access to recent photos through the Assistive Access functionality. This represents a security hardening measure that enforces proper authentication requirements before allowing access to sensitive device content. Users should immediately update to iOS 18 and iPadOS 18 to resolve this vulnerability, as the update implements the necessary access control restrictions that prevent unauthorized photo access. The fix demonstrates the importance of regular security updates and proper access control implementation in mobile operating systems, particularly for features that are designed to provide device access to users with disabilities while maintaining overall system security. Organizations should ensure their mobile device management policies include mandatory security updates to protect against this type of vulnerability.