CVE-2024-54550 is a vulnerability identified in Apple’s iOS and iPadOS operating systems that allows an application to access autocompleted contact information from Messages and Mail by reading system logs. The root cause is insufficient redaction of sensitive data in these logs, which inadvertently exposes contact details that should remain private. This issue affects versions prior to iOS 18.2 and iPadOS 18.2, as well as macOS Sequoia 15.2. The vulnerability does not require any privileges or user interaction, meaning any app installed on the device could potentially exploit this to harvest contact information without explicit permission. The vulnerability is categorized under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor). Apple addressed this by enhancing the redaction mechanisms to prevent sensitive contact data from being logged in a readable form. The CVSS v3.1 base score is 4.0, indicating a medium severity level, with the vector AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N, meaning the attack requires local access but no privileges or user interaction, and impacts confidentiality only. No known exploits have been reported in the wild as of the publication date. This vulnerability primarily threatens user privacy by exposing contact information that could be leveraged for social engineering or further attacks.

The primary impact of CVE-2024-54550 is the unauthorized disclosure of sensitive contact information stored in Messages and Mail autocomplete features. This leakage can compromise user privacy and potentially enable targeted phishing, social engineering, or identity theft attacks. While the vulnerability does not affect system integrity or availability, the confidentiality breach can undermine trust in Apple devices, especially in environments where sensitive communications are routine. Organizations with employees using vulnerable iOS or iPadOS devices may face increased risk of data leakage, especially if malicious apps are installed. The requirement for local access limits remote exploitation, but insider threats or compromised devices could exploit this vulnerability. The absence of known exploits reduces immediate risk, but the potential for privacy invasion remains significant. This vulnerability is particularly relevant for sectors handling sensitive personal or business contacts, such as finance, healthcare, and government.

To mitigate CVE-2024-54550, organizations and users should promptly update affected Apple devices to iOS 18.2, iPadOS 18.2, or macOS Sequoia 15.2 or later, where the issue is fixed. Restrict installation of untrusted or unnecessary applications to minimize the risk of malicious apps exploiting this vulnerability. Employ mobile device management (MDM) solutions to enforce app whitelisting and monitor device logs for suspicious activity. Educate users about the risks of installing apps from unknown sources and the importance of timely OS updates. For environments with high privacy requirements, consider disabling autocomplete features in Messages and Mail if feasible, or restrict access to system logs via configuration profiles. Regularly audit device configurations and app permissions to detect and prevent unauthorized access. Finally, monitor Apple security advisories for any updates or additional patches related to this vulnerability.