CVE-2022-46718 iOS Vulnerability Exposes Sensitive Location Data: PoC is available

In today’s world, privacy is paramount, especially when it comes to protecting users’ sensitive information on their mobile devices. Apple is known for its strict security measures and continuous efforts to ensure user data remains private. However, a recent discovery of a sensitive location information leak vulnerability in the Apple iOS system highlighted the need for constant vigilance in the ever-evolving realm of cybersecurity.

CVE-2022-46718, a logic issue affecting Apple’s iOS, enables unauthorized applications to access users’ sensitive location information. Michael (Biscuit) Thomas, a security researcher, stumbled upon the vulnerability while investigating the iOS Frameworks. Apple addressed the issue by releasing iOS 16.2 in December 2022, implementing improved restrictions to resolve the problem.

During his research, Biscuit noticed an active NSXPCConnection to parsecd, a service responsible for processing search queries. He discovered that, by spoofing the correct header information using the SPPARSession class, parsecd would respond to search queries from any application. While initial tests suggested that only GeoIP location data would be accessible, further investigation revealed that searching for specific terms, such as “restaurants,” would prompt parsecd to retrieve the user’s exact location. This information was then returned via the PARResponse object.

Besides location data, parsecd also returns localized news results and search suggestions. Although Biscuit does not believe these contain user-identifiable information, he plans to explore these additional responses further after submitting his findings.

To demonstrate the CVE-2022-46718 vulnerability, Biscuit developed an app called CoreParsecLocation, which showcases how a third-party app can access a user’s precise location without consent or permission. The app also reveals that parsecd/CoreParsec provides localized search suggestions, knowledge cards, and a temporary user ID.

Users should ensure they have updated their devices to iOS 16.2 or later to safeguard their sensitive location information from potential exploitation.