This vulnerability was indeed a low-hanging fruit. I was using the Console application on macOS to see log messages from the Maps process, and while I was clicking on different restaurants on the map I noticed the following log message:
Maps[13621:4749765] GEOQuickETAResponse: <GEOQuickETAResponse: 0x6000005a9e00> etas: ( “<GEOETAResultByType: 0x600000f27410> { distance = 3951; historic travel time= 1058; “static_travel_time” = 1000;
Apple Maps writes the data above to stderr every time a location is clicked. I also knew about the Maps URL Scheme, which was crucial for this attack. After a few minutes of trial and error, I found that by using the “q” parameter; I could remotely trigger this behaviour while controlling the coordinates the distance value will be calculated from.
Apple assigns CVE-2022-32883 for this vulnerability
This post was created with our nice and easy submission form. Create your post!
GIPHY App Key not set. Please check settings