CVE-2022-32913

Vulnerability

The vulnerability resides in the observability of app states, allowing a sandboxed app to infer which app is currently using the camera. This affects macOS Big Sur before 11.7, macOS Monterey before 12.6, macOS Ventura before 13, iOS before 16, watchOS before 9, and tvOS before 16 [1][2][3][4].

Exploitation

An attacker requires a sandboxed app installed on the device. No additional privileges or user interaction beyond running the app are needed. The app can query system state to determine camera usage by another app, exploiting the insufficient restrictions on state observability.

Impact

Successful exploitation results in information disclosure: the attacker learns which app is currently using the camera. This violates user privacy but does not allow code execution, data modification, or access to camera content itself.

Mitigation

Apple addressed the issue by adding additional restrictions on app state observability. Fixed versions include macOS Big Sur 11.7, macOS Monterey 12.6, macOS Ventura 13, iOS 16, watchOS 9, and tvOS 16, released on September 12, 2022 (most platforms) and October 24, 2022 (macOS Ventura 13) [1][2][3][4]. Users should update to the latest available OS version; no workarounds are documented.