^{CVE-2020-12424:}WebRTC permission bypass vulnerability in Firefox versions prior to 78

Overview

This vulnerability allows a malicious website to bypass WebRTC permission prompts in Firefox. WebRTC (Web Real-Time Communication) is a technology that enables web applications to capture and stream audio and video without requiring plugins. Normally, Firefox requests user permission before allowing a website to access camera or microphone through WebRTC. However, due to this vulnerability, attackers could manipulate the permission system by supplying a URI of an origin that already had permissions granted, thereby gaining unauthorized access to a user's camera or microphone without explicit consent. This represents a serious privacy concern as it could allow websites to conduct audio or video surveillance without the user's knowledge.

Remediation

Users should update to Firefox version 78 or later, which contains a fix for this vulnerability. Mozilla has addressed the issue by implementing proper validation of URIs received from the content process during WebRTC permission prompts. System administrators should ensure that all Firefox installations are updated to the patched version. For environments where immediate updates are not possible, consider temporarily disabling WebRTC functionality through Firefox's configuration settings until updates can be applied. Organizations should also educate users about the importance of keeping browsers updated to protect against security vulnerabilities.

References

1. Mozilla Foundation Security Advisory (MFSA2020-24): https://www.mozilla.org/security/advisories/mfsa2020-24/
2. Mozilla Bugzilla: https://bugzilla.mozilla.org/show_bug.cgi?id=1562600
3. openSUSE Security Update: http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00027.html
4. openSUSE Security Update: http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00049.html
5. Gentoo Linux Security Advisory GLSA-202007-10: https://security.gentoo.org/glsa/202007-10