Security News > 2021 > March > Apple’s Device Location-Tracking System Could Expose User Identities
Two vulnerabilities in a crowdsourced location-tracking system that helps users find Apple devices even when they're offline could expose the identity of users, research claim.
Offline Finding, a proprietary app introduced by Apple in 2019 for its iOS, macOS and watchOS platforms, enables the location of Apple devices even if they aren't connected to the internet.
Of depends on a network of hundreds of millions of devices, which makes it the largest crowd-sourced location tracking system in existence.
One flaw in the design of OF allows Apple to correlate different owners' locations if their locations are reported by the same finder, "Effectively allowing Apple to construct a social graph," that can violate user privacy, researchers noted.
The flaw, then can enable someone to circumvent Apple's restricted location API and access the geolocation of all owner devices without user consent, abusing historical location reports to generate a unique mobility profile and identify the user "With high accuracy," researchers said.
The team shared their findings with Apple and in response the company issued a patch in September 2020, tracking the second vulnerability as CVE-2020-9986 and calling it "a file access issue with certain home folder files." Nothing that the flaw could allow "a malicious application to read sensitive location information," Apple addressed it with "Improved access restrictions" in macOS Catalina 10.15.7.
News URL
https://threatpost.com/apples-location-system-expose-identities/164615/
Related Vulnerability
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2020-10-22 | CVE-2020-9986 | Unspecified vulnerability in Apple mac OS X A file access issue existed with certain home folder files. | 3.3 |