Unsafe Browser - Sandbox escape by sniffing audio of the host system - deanonymization of Tor users
From https://git.radicallyopensecurity.com/ros/pen-tails/-/issues/15
I found a trivial way to sniff the audio inside the unsafe-browser sandbox. The threat scenario is that someone gets RCE inside the unsafe-browser sandbox. As you said, it is not a big deal unless someone can correlate the "clear" Ip with the TOR activities. Taking screenshots doesn't work, and all other gnome-* raise errors. But the audio sniffing works fine, as shown in the following picture. Please note that I use the GUI because this tool has no CLI interface. However, I could build my GTK application or load custom modules inside the gnome-sound-recorder app!
Edited by intrigeri