Researchers at browser identification company FingerprintJS recently found and disclosed a fascinating data leakage bug in Apple's web browser software. At first telling, the bug sounds both undramatic and unimportant: although it allows private data to leak between separate browser tabs that contain content from unrelated websites, the amount of data that leaks is minuscule.
A software bug introduced in Apple Safari 15's implementation of the IndexedDB API could be abused by a malicious website to track users' online activity in the web browser and worse, even reveal their identity. That's not the case with how Safari handles the IndexedDB API in Safari across iOS, iPadOS, and macOS. "In Safari 15 on macOS, and in all browsers on iOS and iPadOS 15, the IndexedDB API is violating the same-origin policy," Martin Bajanik said in a write-up.
Apple has released security updates to address a persistent denial of service dubbed doorLock that would altogether disable iPhones and iPads running HomeKit on iOS 14.7 and later. Apple has addressed this severe resource exhaustion issue in iOS 15.2.1 and iPadOS 15.2.1 by adding improved input validation which no longer allows attackers to disable vulnerable devices.
Apple on Wednesday rolled out software updates for iOS and iPadOS to remediate a persistent denial-of-service issue affecting the HomeKit smart home framework that could be potentially exploited to launch ransomware-like attacks targeting the devices. The iPhone maker, in its release notes for iOS and iPadOS 15.2.1, termed it as a "Resource exhaustion issue" that could be triggered when processing a maliciously crafted HomeKit accessory name, adding it addressed the bug with improved validation.
A new iPhone technique can hijack and prevent any shut-down process that a user initiates, simulating a real power-off while allowing malware to remain active in the background. "The NoReboot approach simulates a real shutdown. The user cannot feel a difference between a real shutdown and a fake shutdown. There is no user-interface or any button feedback until the user turns the phone back 'on'we cannot, and should not, trust a normal reboot."
The bug affects the Home app, Apple's home automation software that lets you control home devices - webcams, doorbells, thermostats, light bulbs, and so on - that support Apple's HomeKit ecosystem. Wiping your data is quick and reliable because Apple mobile devices always encrypt your data, even if you don't set a lock code of your own, using a randomly chosen passphrase kept in secure storage.
A persistent denial-of-service vulnerability has been discovered in Apple's iOS mobile operating system that's capable of sending affected devices into a crash or reboot loop upon connecting to an Apple Home-compatible appliance. HomeKit is Apple's software framework that allows iOS and iPadOS users to configure, communicate with, and control connected accessories and smart-home appliances using Apple devices.
Apple HomeKit is a software framework that lets iPhone and iPad users control smart home appliances from their devices. To demonstate the doorLock bug, Spinolas has released a proof-of-concept exploit in the form of an iOS app that has access to Home data and can change HomeKit device names.
Researchers now believe AirTags, which are equipped with Bluetooth technology, could be revealing a more widespread problem of tech-enabled tracking. Unlike similar tracking products from competitors such as Tile, Apple added features to prevent abuse, including notifications like the one Ms. Estrada received and automatic beeping.