A macOS developer has unearthed a vulnerability that affects macOS Mojave, Catalina, and even the macOS Big Sur. The vulnerability gains access to protected files on your Mac by bypassing the security system. The Privacy Protections System known as TCC (Transparency, Consent, and Control) debuted in macOS Mojave. It was introduced with the purpose of protecting certain files on your Mac from access by unauthorized apps.
The developer demonstrates how a user created Mac app can gain access to file content restricted by TCC. He further explains that TCC has “two fundamental flaws”. TCC superficially checks the code signature of the app. Moreover, exceptions in TCC are based on bundle identifier and not the file path.
Thus, an attacker can make a copy of an app at a different location on disk, modify the resources of the copy, and the copy of the app with modified resources will still have the same file access as the original app, in this case, Safari.
The developer has created a proof-of-concept app that exploits vulnerabilities by using a flaw in Safari. As part of the effort, the developer has created a custom version of the Safari browser which is capable of accessing protected files and passing on the data to a server. Furthermore, the payload is delivered by a second app that downloads and launches the custom Safari.
As per the timeline, the developer first discovered the bug in September last year and reported the same to Apple in December. Apple responded and assured that the bug will be fixed in Spring 2020. This month, the developer finds out the bug is present in macOS Big Sur Beta 1. Meanwhile, Apple responds and says “they’re still investigating the issue.”
Apple introduced TCC in macOS Mojave. In other words, your Mac is no better than the one running older versions of Mac that don’t support TCC. The developer believes that macOS privacy protections are “mainly security theater and only harm legitimate Mac developers.” Security Theater is when a new feature is introduced with the sole purpose of making users feel more secure without actually doing much to make it happen.