Siri-ously Leaky: Exploring Overlooked Attack Surfaces Across Apple's Ecosystem

Presented at DEF CON 33 (2025), Aug. 8, 2025, 2:30 p.m. (45 minutes).

Apple champions user privacy and security, but beneath its glossy screens and polished interfaces lies an overlooked field of subtle vulnerabilities lurking within trusted, everyday features: Siri, Spotlight, Safari, Apple Intelligence, and Apple's official support systems. This talk dives deeply into multiple zero-day issues discovered on fully updated, non-jailbroken iPhones—no specialized tools required. I'll demonstrate how missing lock-state checks, Siri context confusion, race conditions, faulty Unicode parsing, incomplete patches, and other subtle oversights enabled me to bypass Face ID locks, retrieve sensitive user data, spoof emails, and trigger daemon crashes. Specifically, I'll show you how I disclosed sensitive data on locked devices via Siri (CVE-2025-24198) and Spotlight (CVE-2024-44235), bypassed Safari's Face ID protection on private tabs (CVE-2025-30468), executed deceptive email spoofing (CVE-2025-24225), leaked Apple Intelligence internal prompts and Private Cloud Compute data to ChatGPT, and exploited an unresolved IDOR vulnerability on Apple's support site to retrieve almost any customer data. References: - Apple Inc. (March 2025). "About the security content of iOS 18.4 and iPadOS 18.4." [link](https://support.apple.com/en-us/122371) (CVE-2025-24198, Additional recognition) - Apple Inc. (March 2025). "About the security content of macOS Sequoia 15.4." [link](https://support.apple.com/en-us/122373) (CVE-2025-24198) - Apple Inc. (March 2025). "About the security content of macOS Ventura 13.7.5." [link](https://support.apple.com/en-us/122375) (CVE-2025-24198) - Apple Inc. (March 2025). "About the security content of visionOS 2.4." [link](https://support.apple.com/en-us/122378) (Accessibility vulnerability) - Apple Inc. (December 2024). "About the security content of iOS 18.2 and iPadOS 18.2." [link](https://support.apple.com/en-us/121837) (Safari authentication bypass) - Apple Inc. (December 2024). "About the security content of macOS Sequoia 15.2." [link](https://support.apple.com/en-us/121839) (Safari authentication bypass) - Apple Inc. (December 2024). "About the security content of visionOS 2.2." [link](https://support.apple.com/en-us/121845) (Safari authentication bypass) - Apple Inc. (October 2024). "About the security content of iOS 18.1 and iPadOS 18.1." [link](https://support.apple.com/en-us/121563) (CVE-2024-44235) - Apple Inc. (September 2024). "About the security content of iOS 18 and iPadOS 18." [link](https://support.apple.com/en-us/121250) (Passwords app Wi-Fi password disclosure in App Switcher) - Apple Inc. (September 2024). "About the security content of macOS Sequoia 15." [link](https://support.apple.com/en-us/121238) (Passwords app Wi-Fi password disclosure in App Switcher) - Apple Inc. (September 2024). "About the security content of visionOS 2." [link](https://support.apple.com/en-us/121249) (Passwords app Wi-Fi password disclosure in App Switcher) - Apple Developer Documentation: [link](https://developer.apple.com/documentation/) - Apple Platform Security Guide: [link](https://support.apple.com/guide/security/) - The iPhone Wiki: [link](https://www.theiphonewiki.com) - Burp Suite Documentation (Intruder module): [link](https://portswigger.net/burp/documentation/desktop/tools/intruder) - Common US Surnames (US Census Bureau): [link](https://www.census.gov/topics/population/genealogy/data/2010_surnames.html) - CVE Database (MITRE): [link](https://cve.mitre.org) - OpenAI Bugcrowd Program: [link](https://bugcrowd.com/openai)

Presenters:

• Richard "richeeta" Hyunho Im
  Richard Hyunho Im (@richeeta) is a senior security engineer and independent vulnerability researcher at Route Zero Security. Currently ranked among the top 25 researchers in OpenAI's bug bounty program, Richard has also received security acknowledgements from Apple (CVE-2025-24198, CVE-2025-24225, CVE-2025-30468, and CVE-2024-44235), Microsoft, Google, and the BBC. His research highlights overlooked attack surfaces, focusing on practical exploitation that challenges assumptions about everyday software security.

Similar Presentations:

• DEF CON 29 (2021) / Caught you - reveal and exploit IPC logic bugs inside Apple
• DEF CON 33 (2025) / Shaking Out Shells with SSHamble
• DEF CON 32 (2024) / Android App Usage and Cell Tower Location: Private. Sensitive. Available to Anyone?