Security Experts:

Connect with us

Hi, what are you looking for?



macOS Privacy Protections Bypass Disclosed After Apple Fails to Release Fix

Details on a macOS privacy protections bypass method were published this week, more than six months after Apple was informed of the issue, but failed to deliver a fix.

Details on a macOS privacy protections bypass method were published this week, more than six months after Apple was informed of the issue, but failed to deliver a fix.

Dubbed TCC (Transparency, Consent, and Control), the privacy protections system was introduced in macOS Mojave to ensure that certain files on the system are kept out of reach of unauthorized applications.

Software engineer and app developer Jeff Johnson discovered that a malicious application could access files in ~/Library/Safari, which are typically restricted to Safari and Finder, or applications that have been granted special permissions, such as ‘Full Disk Access’.

The exploit, the app dev explains, targets two flaws in TCC, namely the fact that TCC exceptions rely on an application’s bundle identifier and not the file path, and that TCC doesn’t do a deep check of code signatures.

“Thus, an attacker can make a copy of an app at a different location on disk, modify the resources of the copy, and the copy of the app with modified resources will still have the same file access as the original app, in this case, Safari,” Johnson says.

He also notes that Safari makes the exploit possible because the JavaScript to display the Extensions pane in Safari Preferences is run “in the context of the main app rather than in the sandboxed context of the Web Content helper,” and the main Safari app has access to files in the aforementioned directory.

Johnson also shared a sample Xcode project to demonstrate how the exploit is possible, but explains that the bypass could be accomplished by any application downloaded from the Internet.

“My sample exploit uploads some of your private data (your Top Sites, for example) to a server that I control, because that’s an easy thing to do when I can run any JavaScript I want,” the developer notes.

The vulnerability was discovered in September 2019 and Apple was informed on the matter on December 19, 2019, the same day the Apple Security Bounty Program was opened to the public.

To date, however, the Cupertino-based company hasn’t released a fix and Johnson believes that one won’t arrive before macOS Big Sur is released. The developer said he requested updates from Apple several times, but even in the latest response (on June 29), the company said it was “still investigating the issue.”

“I don’t believe that the issue will be fixed by Apple before Big Sur is released to the public in the Fall. I’ve seen no evidence that Big Sur makes any effort in this direction, and Apple’s email to me shows no evidence of that either. Therefore, I’m disclosing the issue now. It’s been over 6 months since I reported the issue to Apple,” Johnson says.

Related: Apple Patches Over 40 Vulnerabilities in macOS Catalina

Related: Apple Patches Recent iPhone Jailbreak Zero-Day

Related: Apple Awards Researcher $75,000 for Camera Hacking Vulnerabilities

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.


Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.


Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.