Details on a macOS privacy protections bypass method were published this week, more than six months after Apple was informed of the issue, but failed to deliver a fix.
Dubbed TCC (Transparency, Consent, and Control), the privacy protections system was introduced in macOS Mojave to ensure that certain files on the system are kept out of reach of unauthorized applications.
Software engineer and app developer Jeff Johnson discovered that a malicious application could access files in ~/Library/Safari, which are typically restricted to Safari and Finder, or applications that have been granted special permissions, such as ‘Full Disk Access’.
The exploit, the app dev explains, targets two flaws in TCC, namely the fact that TCC exceptions rely on an application’s bundle identifier and not the file path, and that TCC doesn’t do a deep check of code signatures.
“Thus, an attacker can make a copy of an app at a different location on disk, modify the resources of the copy, and the copy of the app with modified resources will still have the same file access as the original app, in this case, Safari,” Johnson says.
Johnson also shared a sample Xcode project to demonstrate how the exploit is possible, but explains that the bypass could be accomplished by any application downloaded from the Internet.
The vulnerability was discovered in September 2019 and Apple was informed on the matter on December 19, 2019, the same day the Apple Security Bounty Program was opened to the public.
To date, however, the Cupertino-based company hasn’t released a fix and Johnson believes that one won’t arrive before macOS Big Sur is released. The developer said he requested updates from Apple several times, but even in the latest response (on June 29), the company said it was “still investigating the issue.”
“I don’t believe that the issue will be fixed by Apple before Big Sur is released to the public in the Fall. I’ve seen no evidence that Big Sur makes any effort in this direction, and Apple’s email to me shows no evidence of that either. Therefore, I’m disclosing the issue now. It’s been over 6 months since I reported the issue to Apple,” Johnson says.