Уязвимость раскрытия имени пользователя через перечисление названий устройств с доступом к камере или микрофону в Thunderbird и Firefox
Описание
При первом подключении AirPods к iPhone они автоматически получают имя пользователя (например, "AirPods Джейн Доу"). Веб-сайты, имеющие разрешение на доступ к камере или микрофону, способны перечислять названия устройств, раскрывая имя пользователя. Чтобы решить эту проблему, Firefox добавил специальное условие, которое переименовывает устройства, содержащие подстроку "AirPods", просто в "AirPods".
Затронутые версии ПО
- Thunderbird версий до 68.6
- Firefox версий до 74
- Firefox ESR версий до 68.6
- Firefox ESR < 68.6
Тип уязвимости
Утечка информации
Ссылки
- Issue TrackingPermissions RequiredVendor Advisory
- Third Party Advisory
- Third Party Advisory
- Vendor Advisory
- Vendor Advisory
- Vendor Advisory
- Issue TrackingPermissions RequiredVendor Advisory
- Third Party Advisory
- Third Party Advisory
- Vendor Advisory
- Vendor Advisory
- Vendor Advisory
Уязвимые конфигурации
Одно из
Одно из
EPSS
5.3 Medium
CVSS3
5 Medium
CVSS2
Дефекты
Связанные уязвимости
The first time AirPods are connected to an iPhone, they become named after the user's name by default (e.g. Jane Doe's AirPods.) Websites with camera or microphone permission are able to enumerate device names, disclosing the user's name. To resolve this issue, Firefox added a special case that renames devices containing the substring 'AirPods' to simply 'AirPods'. This vulnerability affects Thunderbird < 68.6, Firefox < 74, Firefox < ESR68.6, and Firefox ESR < 68.6.
The first time AirPods are connected to an iPhone, they become named after the user's name by default (e.g. Jane Doe's AirPods.) Websites with camera or microphone permission are able to enumerate device names, disclosing the user's name. To resolve this issue, Firefox added a special case that renames devices containing the substring 'AirPods' to simply 'AirPods'. This vulnerability affects Thunderbird < 68.6, Firefox < 74, Firefox < ESR68.6, and Firefox ESR < 68.6.
The first time AirPods are connected to an iPhone, they become named a ...
The first time AirPods are connected to an iPhone, they become named after the user's name by default (e.g. Jane Doe's AirPods.) Websites with camera or microphone permission are able to enumerate device names, disclosing the user's name. To resolve this issue, Firefox added a special case that renames devices containing the substring 'AirPods' to simply 'AirPods'. This vulnerability affects Thunderbird < 68.6, Firefox < 74, Firefox < ESR68.6, and Firefox ESR < 68.6.
EPSS
5.3 Medium
CVSS3
5 Medium
CVSS2