CVE-2016-8507 Yandex CVE debrief

Who should care

Organizations and individuals using Yandex Browser on iOS, especially teams managing iPhone/iPad fleets or sensitive environments where unexpected camera/microphone access is a concern.

Technical summary

The vulnerability is an improper restriction of processing for facetime:// URLs in Yandex Browser for iOS before 16.10.0.2357. According to the NVD record, exploitation requires network access and user interaction, but no privileges; a crafted web page can trigger a FaceTime call without approval. The impact is confidentiality-focused (CVSS v3.1: AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N), consistent with unauthorized exposure of audio and video data. NVD maps the weakness to CWE-200.

Defensive priority

Medium

Recommended defensive actions

• Upgrade Yandex Browser for iOS to 16.10.0.2357 or later.
• Review mobile browser policies to limit automatic handling of external URL schemes such as facetime:// where feasible.
• Alert users that unexpected prompts or call initiation from webpages should be treated as suspicious.
• Monitor mobile fleet software inventory to confirm affected versions are removed.
• Use the vendor advisory and NVD record to verify remediation status and version boundaries.

Evidence notes

Evidence is based on the supplied NVD record and linked vendor reference. The record states: Yandex Browser for iOS before 16.10.0.2357 does not properly restrict facetime:// URL processing; a crafted website can initiate a FaceTime call and obtain audio/video data. NVD lists the affected CPE as yandex_browser on iPhone OS with vulnerable versions ending before 16.10.0.2357, CVSS 3.1 vector AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N, and CWE-200. The CVE was published on 2017-03-01 and modified on 2026-05-13.

Official resources