CVE-2016-4603

Vulnerability

The vulnerability exists in Web Media handling on Apple iOS versions prior to 9.3.3. It allows an attacker to bypass the Private Browsing protection mechanism by exploiting misbehavior in the Safari View Controller. Affected devices include iPhone 4s and later, iPod touch (5th generation) and later, and iPad 2 and later running iOS versions before 9.3.3. [1]

Exploitation

An attacker must first lure the user into interacting with a malicious webpage or content that triggers the Safari View Controller. Through this interaction, the attacker can obtain sensitive video URL information that was intended to be protected by the Private Browsing feature. [1]

Impact

Successful exploitation leads to the disclosure of video URLs visited by the user while in Private Browsing mode. This represents an information disclosure vulnerability, but no other impacts on confidentiality, integrity, or availability are described. [1]

Mitigation

The issue is resolved in iOS 9.3.3, released on July 18, 2016. Users are advised to update to the latest available iOS version. No workarounds are known for this vulnerability. [1]