CVE-2017–6976: iCloud User Information Disclosure

AppleIDAuthAgent is a service that exists on iOS that appears to handle actions regarding a users Apple ID, including iCloud information linked to that account. It runs an XPC service known as com.apple.coreservices.appleid.authentication, which could be accessed by any application.

When looking around how the service was handling incoming XPC messages, I noticed that there was some log messages left behind. One of them was “DoGetMyInfo”, and was occurring when the command was 0x130. When I sent a message with that as part of the message.

What I got back was very interesting. The components that were easy to spot were the user’s name, the Apple ID itself, and verified emails and phone numbers associated with the account. All of this could be done in the background without the user knowing anything about it.

Other commands that could be sent were 0x500 which primarily showed some settings for the account, 0x150 shows a list of Apple IDs that were logged in on the device (?) and 0x510 shows the last time the user logged in to their Apple ID account.

Apple made no public announcement about this bug, and appeared to patch to problem by requiring a certain entitlement.

Edit 02/08/17: Apple got back to me, and published the bug to their iOS 10.3 advisory page.

Disclosure timeline:
- January 19, 2017: Reported vulnerability to vendor
- January 24, 2017: Vendor acknowledged vulnerability
- March 28, 2017: Update requested due to a new release of the product
- April 1, 2017: Vendor reports a fix has been made
- May 16, 2017: Update requested due to a new release of the product
- May 23, 2017: Vendor reports that public announcement will be made
- August 1, 2017: Public disclosure by reporter
- August 2, 2017: Public disclosure by vendor

Show your support

Clapping shows how much you appreciated George Dan’s story.