Security Experts:

Connect with us

Hi, what are you looking for?



New ‘powerdir’ Vulnerability in macOS Exposes Protected Data

A vulnerability addressed recently in Apple’s macOS platform could be exploited to gain unauthorized access to a user’s personal data, Microsoft explains.

A vulnerability addressed recently in Apple’s macOS platform could be exploited to gain unauthorized access to a user’s personal data, Microsoft explains.

Tracked as CVE-2021-30970, the new security error, which Microsoft calls powerdir, allows an attacker to bypass the platform’s Transparency, Consent, and Control (TCC) technology and “potentially orchestrate an attack based on the user’s protected personal data.”

Introduced in 2012, TCC is meant to help users configure the privacy settings in their applications, including access to features such as microphone, camera, location, calendar, and more. Users can access these settings under System Preferences > Security & Privacy > Privacy.

TCC maintains two types of databases – one for permissions that apply to a specific user profile and another for permissions that apply system-wide – protected via System Integrity Protection (SIP – prevents unauthorized code execution) and restricted access (to apps with full disk access only).

“We discovered that it is possible to programmatically change a target user’s home directory and plant a fake TCC database, which stores the consent history of app requests,” Microsoft says.

A user with full disk access could locate their TCC.db file, which is an SQLITE database, view it, and even edit it. Thus, a malicious actor with full disk access to the TCC databases could grant arbitrary permissions to their malicious apps, without the user ever being alerted on the matter.

The powerdir vulnerability, Microsoft explains, was identified while looking at the patch Apple released for a previous TCC vulnerability (CVE-2020-9934), and exists because the fix only prevents the attack, but does not address the core issue.

Thus, Microsoft discovered it was possible for an application to change the user’s home directory and plant a fake TCC database (TCC.db file). The attack only works with apps that are granted with a TCC policy maintained by the local or user-specific TCC.db.

Microsoft’s initial proof-of-concept (PoC) code targeting the vulnerability relied on the Directory Services command-line utility (dscl) and was mitigated by changes Apple made in its platform with the release of macOS Monterey in October.

A second PoC exploit was then created using the Apple-signed binary “,” which had permissions to modify the home directory silently. It also relied on configd to specify the custom bundle to load.

Apple addressed CVE-2021-30970 with the release of macOS Monterey 12.1 in December 2021.

Related: Apple Patches Vulnerabilities That Earned Hackers $600,000 at Chinese Contest

Related: Apple Patches 42 Security Flaws in Latest iOS Refresh

Related: Apple Patches 22 Security Flaws Haunting iPhones

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.