Cross-Origin Audio Exfiltration in Apple Products
CVE-2018-4278

4.3MEDIUM

Key Information:

Vendor

Apple
Status
iPhone OS
Safari
TV OS
Vendor
CVE Published:
11 January 2019

What is CVE-2018-4278?

This vulnerability allows audio data fetched through audio elements in affected Apple products to be exfiltrated across different origins. Specifically, in versions of Safari, iTunes, iOS, tvOS, and iCloud prior to the specified updates, inadequate tracking of audio origins could permit malicious actors to exploit the system. The issue has been mitigated through enhanced audio taint tracking techniques in subsequent updates, which aim to prevent unauthorized access to sensitive audio data.

References

https://support.apple.com/HT208934%2C
x_refsource_MISC
https://support.apple.com/HT208932
x_refsource_CONFIRM
https://usn.ubuntu.com/3743-1/
vendor-advisoryx_refsource_UBUNTU

CVSS V3.1

Score:
4.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.