Security researcher discloses privacy protection bypass bug in Apple’s macOS Mojave, macOS Catalina, macOS Big Sur after waiting for 6 months for Apple to fix it
This is a disaster waiting to happen. Security researcher, Jeff Johnson of Lapcat Software found a privacy protection bypass bug affecting Apple’s macOS X version, Mojave and Catalina, and also the latest macOS XI Big Sur. Like any security researcher, Johnson made a responsible disclosure to Apple about the bug but was frustrated to find that Apple just dithering over his security report. Johnson says he submitted the bug details to Apple’s Security Bounty program on the day it opened for business, December 19, 2019, but Apple just dithered. He waited a good long 6 months before going public with his research.
Apple macOS Mojave, macOS Catalina, macOS Big Sur privacy protection bypass bug
In a blog post, Johnson says that all of Apple’s macOS versions like macOS Mojave, Catalina, and even the latest macOS XI Big Sur are vulnerable to this bug. The bug resides in the way these Apple operating systems handle Apple’s Transparency, Consent, and Control sandboxing system or TCC. Johnson points out that there are two fundamental flaws in TCC that make this exploit possible:
- TCC exceptions (recorded in “~/Library/Application Support/com.apple.TCC/TCC.db”) are based on the bundle identifier of an app rather than the file path.
- TCC only superficially checks the code signature of the app.
Once exploited, the TCC bugs can allow a potential hacker to bypass the sandboxing procedures and privacy protection tools to access Safari files. Essentially, the bug can allow potential hackers to access protected files like macOS browser history.
Let me explain the issue in slightly less technical terms. In this case, only Safari and Finder should be authorized (by Apple) to access the files in ~/Library/Safari, unless you grant special authorization to another app, such as giving “Full Disk Access” to Terminal. My bypass demonstrates that a maliciously crafted app can also access those files, without being given authorization. Any app that you download from the web could accomplish this privacy protections bypass.
Jeff Johnson, Lapcat Software
Johnson has given a complete Proof-of-concept on his blog post. He told The Register that he was frustrated with Apple’s security team. “Talking to Apple Product Security is like talking to a brick wall. I suspect that Apple doesn’t trust outsiders with any information, but this attitude is counterproductive, because it just alienates the people who report bugs, and turns them away from bug reporting. Distrust from one side causes distrust from the other side too.”
Johnson says that the bug is not as serious as someone remotely taking over a PC/laptop but still it deserves better understanding from Apple as hackers could gain access to confidential information about the macOS user.
Apple has not yet responded to Johnson’s disclosure or the bug.