The Geolocation API is used to obtain the user's host device's location, and it has a complete protection of user privacy mechanisms. But the CVE-2 0 1 6-1 7 7 6 this vulnerability to bypass the Geolocation authentication of the source of a security mechanism, and it is possible to cause the user to privacy leakage. This article in the analysis of the CVE-2 0 1 6-1 7 7 9 vulnerability causes on the basis of explored the Geolocation privacy mechanism, which is interspersed with the acquisition of Apple's location and the“story”on the user privacy is more of an alert.
In IOS, Geolocation authentication is by a UIWebView to do the processing, an attacker can bypass the same origin policy so that the authentication block in any domain POPs up, and when the user clicks on the Allow access to user's location. In the IOS platform, Safari and Chrome are affected by this vulnerability.
Affected products: WebKit in Apple iOS < 9.3 and Safari < 9.1, Chrome
Vulnerability fix date: 2016/3/21