updated 06:20 pm EST, Tue February 28, 2012
Severity of threat still uncertain
An iOS vulnerability may be allowing some apps to access a person's entire photo/video library, say developers in touch with the New York Times. The flaw emerges only once a person authorizes an app to use location information, but at that point photo/video access opens up without any extra prompting. The location pop-up does say it will allow "access to location information in photos and videos," but makes no mention of sharing the media itself.
One developer, Curio co-founder David Chen, notes that an app could potentially gather location histories and media and upload them both to a remote server. An anonymous developer reached by the Times, meanwhile, has created an unpublished test app -- "PhotoSpy" -- that successfully demonstrates the theory.
Apple has come under fire in recent weeks for a separate iOS hole allowing apps to access or upload a person's entire address book without permission. Several companies have been forced to amend the way they handle contact data, even though Apple claims that such apps are already against guidelines. The company has promised that a future firmware update will require apps to ask for contact data, but no date has been set.