CVE-2024-54550 in iOS
Summary
by MITRE • 01/28/2025
This issue was addressed with improved redaction of sensitive information. This issue is fixed in iOS 18.2 and iPadOS 18.2, macOS Sequoia 15.2. An app may be able to view autocompleted contact information from Messages and Mail in system logs.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 04/08/2026
This vulnerability represents a critical information disclosure flaw in Apple's operating systems where sensitive contact data could be inadvertently exposed through system logging mechanisms. The issue stems from insufficient redaction of autocompleted contact information within system logs, allowing malicious applications to potentially access confidential data that should remain protected. The vulnerability affects iOS 18.2 and iPadOS 18.2 releases as well as macOS Sequoia 15.2, indicating a widespread impact across Apple's ecosystem. The flaw specifically relates to how the system handles autocompleted contact information from Messages and Mail applications, which are commonly used for communication and data entry activities.
The technical implementation of this vulnerability involves the logging subsystem failing to properly sanitize or redact sensitive information that appears in auto-complete suggestions. When users interact with contact information in messaging and email applications, the system may store these interactions in logs for debugging or operational purposes. However, the redaction mechanisms were insufficient to prevent the exposure of potentially sensitive contact data that could include personal identifiers, phone numbers, email addresses, or other private information. This type of vulnerability aligns with CWE-200, which describes improper handling of sensitive information, and represents a clear violation of data protection principles. The flaw operates at the system level where application data flows through logging infrastructure without proper sanitization, creating a pathway for unauthorized information access.
The operational impact of this vulnerability extends beyond simple privacy concerns to potentially enable more sophisticated attacks such as social engineering campaigns, identity theft, or targeted phishing operations. Attackers could leverage this exposure to gather comprehensive contact information about individuals, potentially building detailed profiles for malicious activities. The vulnerability is particularly concerning because it affects core communication applications where users regularly enter and interact with sensitive personal data. Security professionals should note that this issue demonstrates how seemingly innocuous logging mechanisms can become attack vectors when proper information sanitization is not implemented. The fix implemented by Apple addresses this through enhanced redaction protocols that ensure autocompleted contact information is properly stripped from system logs before storage or transmission.
The remediation approach taken by Apple involves strengthening the redaction processes within the system logging framework to prevent the inclusion of autocompleted contact data in log files. This solution aligns with security best practices for information sanitization and data protection, particularly in systems where user privacy is paramount. Organizations should implement this update immediately across all affected systems and verify that the redaction mechanisms are properly functioning. The fix demonstrates the importance of regular security audits of logging and monitoring systems to identify potential information exposure vulnerabilities. From an ATT&CK perspective, this vulnerability could be categorized under T1566 for credential access or T1005 for data from local systems, emphasizing the need for comprehensive security controls. The resolution reinforces the principle that system logging should never expose sensitive user data, regardless of the application context or system component involved.