CVE-2024-27844
📋 TL;DR
This vulnerability allows a website's permission dialog to persist after users navigate away from the site, potentially tricking users into granting unintended permissions. It affects users of Apple's visionOS, macOS, and Safari browsers. The issue could lead to unauthorized access to device features like camera, microphone, or location.
💻 Affected Systems
- visionOS
- macOS Sonoma
- Safari
📦 What is this software?
Macos by Apple
macOS is Apple's desktop and laptop operating system powering Mac computers used by millions of professionals, developers, creative professionals, and enterprise users worldwide. Built on a Unix foundation with the Darwin kernel and modern Cocoa frameworks, macOS delivers a seamless ecosystem integr...
Learn more about Macos →Safari by Apple
⚠️ Risk & Real-World Impact
Worst Case
Attackers could trick users into granting persistent permissions for camera, microphone, location, or notifications, leading to continuous surveillance or data exfiltration.
Likely Case
Users accidentally grant permissions to malicious sites that appear legitimate, resulting in limited data exposure or privacy violations.
If Mitigated
With user awareness and prompt patching, impact is minimal as users can manually revoke permissions and the dialog persistence is temporary.
🎯 Exploit Status
Exploitation requires user interaction (clicking permission dialogs) but is technically simple once a malicious website is visited.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: visionOS 1.2, macOS Sonoma 14.5, Safari 17.5
Vendor Advisory: https://support.apple.com/en-us/HT214103
Restart Required: Yes
Instructions:
1. Open System Settings on macOS or Settings on visionOS. 2. Navigate to Software Update. 3. Install the latest available updates. 4. For Safari only updates, open Safari and go to Safari > About Safari to check version.
🔧 Temporary Workarounds
Disable automatic permission granting
allConfigure browsers to ask before granting permissions rather than allowing automatic grants
Use browser privacy extensions
allInstall extensions that block permission requests or warn about suspicious dialogs
🧯 If You Can't Patch
- Educate users to never grant permissions to unfamiliar websites and to manually check/revoke permissions in browser settings
- Implement network filtering to block known malicious websites that might exploit this vulnerability
🔍 How to Verify
Check if Vulnerable:
Check current OS/browser version against affected versions. For macOS: About This Mac > macOS version. For Safari: Safari > About Safari.Check Version:
macOS: sw_vers -productVersion; Safari: defaults read /Applications/Safari.app/Contents/Info.plist CFBundleShortVersionStringVerify Fix Applied:
Confirm version is visionOS 1.2+, macOS Sonoma 14.5+, or Safari 17.5+📡 Detection & Monitoring
Log Indicators:
- Multiple permission grant events from same website in short timeframe
- Permission grants followed by immediate navigation away from site
Network Indicators:
- HTTP requests to known malicious domains requesting permission APIs
- Unusual permission API calls in web traffic
SIEM Query:
source="web_proxy" AND (url="*permissions*" OR url="*notification*" OR url="*geolocation*") AND status="granted"🔗 References
- http://seclists.org/fulldisclosure/2024/Jun/5
- https://support.apple.com/en-us/HT214103
- https://support.apple.com/en-us/HT214106
- https://support.apple.com/en-us/HT214108
- https://support.apple.com/kb/HT214103
- https://support.apple.com/kb/HT214106
- https://support.apple.com/kb/HT214108
- http://seclists.org/fulldisclosure/2024/Jun/5
- https://support.apple.com/en-us/HT214103
- https://support.apple.com/en-us/HT214106
- https://support.apple.com/en-us/HT214108
- https://support.apple.com/kb/HT214103
- https://support.apple.com/kb/HT214106
- https://support.apple.com/kb/HT214108
