Connect with us

Tech

Security Bite: Here’s the iOS 17.5 bug that resurfaced deleted photos – 9to5Mac

Published

on

Security Bite: Here’s the iOS 17.5 bug that resurfaced deleted photos – 9to5Mac

After reports of deleted photos resurfacing years later following the installation of iOS 17.5, Apple released iOS 17.5.1 last week to address the issue. But what caused it in the first place? Thanks to some clever reverse engineering by researchers, we have a glimpse at the rare bug responsible.


9to5Mac Security Bite is exclusively brought to you by Mosyle, the only Apple Unified Platform. Making Apple devices work-ready and enterprise-safe is all we do. Our unique integrated approach to management and security combines state-of-the-art Apple-specific security solutions for fully automated Hardening & Compliance, Next Generation EDR, AI-powered Zero Trust, and exclusive Privilege Management with the most powerful and modern Apple MDM on the market. The result is a totally automated Apple Unified Platform currently trusted by over 45,000 organizations to make millions of Apple devices work-ready with no effort and at an affordable cost. Request your EXTENDED TRIAL today and understand why Mosyle is everything you need to work with Apple.


How photo deletion works BTS

When a user navigates to delete an image from the Photos library, the device moves it to the Recently Deleted album and actually deletes it 30 days later. Of course, a user can permanently delete any of these photos before the 30-day mark.

Behind the scenes, the file isn’t necessarily erased. Since the iPhone uses a NAND storage system, the device instead marks the corresponding memory location as available for new data to be written. So old data isn’t physically removed right away; it remains intact until overwritten.

The benefits of using NAND include fast read/write speeds, better energy efficiency, and the ability to recover deleted files. It’s a pretty good non-volatile storage system–unless, well, there’s a bug.

The bug

Using an old iPhone 13, researchers at Synacktiv reverse-engineered last week’s iOS 17.5.1 update, identifying changes in the DYLD shared caches by comparing IPSW files.

According to Synacktiv, the more significant changes between iOS 17.5 and iOS 17.5.1 happened in the PLModelMigrationActionRegistration_17000 function within PhotoLibraryServices. This function registers migration handlers that convert data from an older format to the latest version.

PhotoLibraryServices among four dylibs that had substantial changes in iOS 17.5.1.
Image: Synacktiv
Pseudo-code changes highlighted in the PLModelMigrationActionRegistration function.
Image: Synacktiv

Most significantly, Apple removed a code segment within the function tasked with scanning and re-importing photos from the file system. As a result, the system initiated a reindexing process for older files stored in the local file system, inadvertently adding them back to users’ galleries.

“Based on this code, we can say that the photos that reappeared were still lying around on the filesystem and that they were just found by the migration routine added in iOS 17.5. “The reason why those files were there in the first place is unknown,” says Synacktiv.

This aligns with the iOS 17.5.1 release notes, in which Apple stated that the bug was caused by “database corruption.”

Apple also told 9to5Mac last week that photos that weren’t entirely deleted from devices were not synced to iCloud Photos. The bug was local on devices. The company emphasized that this problem was rare and affected a small number of users.

More in this series

FTC: We use income earning auto affiliate links. More.

Continue Reading