Apple Patches iOS 13 Bug Allowing Third-Party Keyboards "Full Access"

Apple on Friday released security updates for iOS 13 and iPadOS to address a vulnerability that allowed third-party keyboard extensions to gain “full access” without being granted permission.


The bug, Apple revealed earlier this week, only impacts devices where third-party keyboards request full access permissions, but does not affect Apple keyboards or third-party keyboards that don't make use of full access. Full access permissions allow an app to fetch resources from a remote server.


In iOS, third-party keyboard extensions can also be designed to run entirely standalone, meaning that they won’t have access to external services.


The security flaw, which is tracked as CVE-2019-8779, could allow a malicious keyboard app to record everything the user types and send the information to the attacker’s server.


However, the risk of exploitation would be relatively low, as such a keyboard would first have to go through the Apple approval process and then downloaded and installed by the victims.


On Friday, Apple announced the release of iOS 13.1.1 and iPadOS 13.1.1, which address the issue by applying the correct sandbox restrictions to third-party app extensions.


The update, which arrived only days after the release of iOS 13, is being delivered to iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation.


Earlier this week, Apple addressed another issue in iOS 13, which provided access to contacts to anyone with physical access to the device, directly from the lockscreen (CVE-2019-8775).


On Thursday, the Cupertino-based tech company released security updates for macOS, watchOS, and iOS 12.4.1.


The newly released macOS Mojave 1 ..

Support the originator by clicking the read the rest link below.