Details on a macOS privacy protections bypass method were published this week, more than six months after Apple was informed of the issue, but failed to deliver a fix.
Dubbed TCC (Transparency, Consent, and Control), the privacy protections system was introduced in macOS Mojave to ensure that certain files on the system are kept out of reach of unauthorized applications.
Software engineer and app developer Jeff Johnson discovered that a malicious application could access files in ~/Library/Safari, which are typically restricted to Safari and Finder, or applications that have been granted special permissions, such as ‘Full Disk Access’.
The exploit, the app dev explains, targets two flaws in TCC, namely the fact that TCC exceptions rely on an application’s bundle identifier and not the file path, and that TCC doesn’t do a deep check of code signatures.
“Thus, an attacker can make a copy of an app at a different location on disk, modify the resources of the copy, and the copy of the app with modified resources will still have the same file access as the original app, in this case, Safari,” Johnson says.
He also notes that Safari makes the exploit possible because the JavaScript to display the Extensions pane in Safari Preferences is run “in the context of the main app rather than in the sandboxed context of the Web Content helper,” and the main Safari app has access to files in the aforementioned directory.
Johnson also shared a sample Xcode project to demonstrate how the exploit is possible, but explains that the bypass could be accomplished by any application downloaded from the Internet.
“My sample exploit uploads some of your private data (your Top Sites, for example) to a server that I co ..
Support the originator by clicking the read the rest link below.
