Full Report
Exposure of Private Personal Information to an Unauthorized Actor vulnerability (CVE-2025-11598) has been found in mObywatel application for iOS.
Analysis Summary
# Vulnerability: Exposure of Private Personal Information via iOS App Switcher in mObywatel
## CVE Details
- CVE ID: CVE-2025-11598
- CVSS Score: N/A (Severity not explicitly stated, but classified as resulting in exposure of private information)
- CWE: CWE-359 (Exposure of Private Personal Information to an Unauthorized Actor)
## Affected Systems
- Products: mObywatel application
- Versions: All versions before 4.71.0 (iOS only)
- Configurations: Standard iOS installation of the affected application version.
## Vulnerability Description
The vulnerability resides in the iOS version of the mObywatel application. An unauthorized actor using the iOS App Switcher (multitasking view) can view the account owner's private personal information that was displayed on the screen just before the application was minimized. This exposure can occur even after the user's authentication session has ended and reopening the app requires re-authentication. The specific data exposed is context-dependent, reflecting the last screen viewed.
## Exploitation
- Status: Not explicitly stated, assumed to be a reported vulnerability without widespread exploitation documented in the summary.
- Complexity: Low (Accessing the App Switcher is trivial on iOS).
- Attack Vector: Local (Requires physical access to the device to view the App Switcher immediately after the victim minimizes the app).
## Impact
- Confidentiality: High (Private Personal Information is exposed).
- Integrity: Low (No data modification capability implied).
- Availability: No direct impact.
## Remediation
### Patches
- Upgrade the mObywatel application to **version 4.71.0 or later** (for iOS).
### Workarounds
- Manually close (kill) the mObywatel application from the App Switcher immediately after concluding the session, rather than just minimizing it, until updated.
## Detection
- Indicators of compromise: Unauthorized viewing of the device's App Switcher by an unauthorized party leading to the display of sensitive application data.
- Detection methods and tools: Not specified. Monitoring physical access logs or user reports regarding unexpected screen displays in the switcher view.
## References
- Vendor advisories: Centralny Ośrodek Informatyki (via CERT Polska coordination).
- Relevant links - defanged:
- hxxps://incydent.cert.pl/#!/lang=en
- hxxps://cert.pl/en/cvd/