Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1310 CNY

100%
Buy Us a Coffee

CVE-2023-40429 PoC — Apple iOS 和 iPadOS 安全漏洞

Source
https://github.com/biscuitehh/cve-2023-40429-ez-device-name
Associated Vulnerability
Title:Apple iOS 和 iPadOS 安全漏洞 (CVE-2023-40429)
Description:A permissions issue was addressed with improved validation. This issue is fixed in tvOS 17, iOS 17 and iPadOS 17, watchOS 10, macOS Sonoma 14. An app may be able to access sensitive user data.
Description
CVE-2023-40429: An app may be able to access sensitive user data.
Readme
# HostName

## Overview

HostName is a sample application demonstrating how a third-party app can access a user's device name without the `com.apple.developer.device-information.user-assigned-device-name` entitlement.

## Details

In iOS 16, Apple added the `com.apple.developer.device-information.user-assigned-device-name` entitlement to prevent third-party applications from fingerprinting a user by device name. However, the `ProcessInfo.processInfo.hostName` API broke in the process, which allowed a third-party developer to get the network hostname of the device without an entitlement. While the hostname is not a percent 1:1 copy of the device name, it's close. For example, my device is named `Astronaut Sloth`, which gives me a hostname of `Astronaut-Sloth`.

When a third-party developer accesses the `ProcessInfo.processInfo.hostName` API, the user gets presented with a "Allow <X> to communicate with Local Network Devices" prompt. In iOS 15, the `ProcessInfo.processInfo.hostName` API would return `localhost` if the user denied this API. However, in iOS 16 this also broke - a device name was always returned regardless of user input.

## Timeline
- Discovered & reported this entitlement leak/bypass in August 2022 during the iOS 16 beta period.
- Apple patched the issue with iOS 17.0 in September 2023.
- Apple verified that the issue was fixed with iOS 17.0 in September 2023. This issue was not eligible for a bug bounty.
- The public disclosure was added to the [iOS 17.0 Security Notes](https://support.apple.com/en-us/HT213938) in September 2023.

## Final Thoughts
- I can't blame Apple for not wanting to pay a bug bounty for a one-line device-name bypass, but I'll admit it was a little frustrating to hear that an API leaking entitlement-gated information didn't qualify for a bug bounty. If anyone from Apple stumbles upon this, I would take a moment to update the [bug bounty categories](https://security.apple.com/bounty/categories/) page to include more information about similar issues that fall in the "it's a sensitive data bypass, but the data is not that sensitive." I still plan to finish up the other user fingerprinting issues I've found, but this experience has taken a bit of the wind out of my sails.
File Snapshot

Log in to view the POC file snapshot cached by Shenlong Bot

Log in to view
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →