Action is advised.
Who is this announcement relevant for?
This announcement is relevant to SDK customers that integrate the Futurae iOS SDK v3 (including beta versions) up to v3.1.9.
Description of the vulnerability
We have identified a low severity information leakage security vulnerability that when a device backup (through iCloud or local) is taken in between the very first and second launch of the SDK, then this backup contains enrolled account information that should normally not be backed up.
What is the risk
If a remote malicious actor manages to get access to the particular backup (eg through gaining access to the user’s Apple ID account), they can get access to the enrolled account information which includes the Futurae user display_name
property, Futurae user and device randomized identifiers, and other Futurae user and service metadata. Notably, the attacker will still not have access to any cryptographic material and as such will not be able to execute any authentication or transaction signing operations on behalf of the affected end user, whose respective online account will remain protected.
Advised Actions
To address this issue, we recommend all customers using a vulnerable version of the Futurae iOS SDK to update to iOS SDK v3.2.0 immediately. This update ensures that SDK enrolled accounts are not included in any device backup and therefore the described information leakage is prevented.
We apologize for any inconvenience caused and appreciate your prompt attention to updating the SDK. If you have any questions or need further assistance, please contact our support team at support@futurae.com
Comments
0 comments
Article is closed for comments.