Chain of CVEs across 2 years allowed a malicious calendar invite to steal iCloud photos without requiring any user input.
2 Likes
Thank you for posting this, I’m glad people like this researcher are finding exploits like these and reporting to them to companies like Apple so they can get fixed. Aside form the exploits being patched, I’m curious if other recommended security precautions could have prevented this and other similar but still unknown attack vectors.
He doesn’t mention this nor is there enough detail in the article to determine whether Lockdown Mode and/or Advanced Data Protection blocks this. I suspect it in both cases the exploit would be unsuccessful.
In lockdown mode, many file attachment types are blocked which may mitigate this attack from the start. Additionally invites to Apple services have to be initiated by the Lockdown Mode device as outside invites will be automatically blocked. For Advanced Data Protection, the iCloud files (including photo’s) are E2EE. Without the decryption key the attacker would receive an encrypted version of the photo.
1 Like
I’m pretty sure Advanced Data Protection only ensures that Apple doesn’t have a copy of the key used to encrypt your files as they’re being uploaded to iCloud. This exploit talks about downloading photos from iCloud using the Photos app on your device, which means they’ve been decrypted by your device at that point.
2 Likes
Is that the actual pathway for the exploit? If so you would be correct but my understanding from the article was:
iCloud=>Attacker device
Which would mean the attacker device lacks the decryption key (it exists in the Secure Enclave of the victim device).
If it is instead
iCloud=>Victim Device=>Attacker device
Then the attacker would be receiving the file after it was decrypted.