New macOS attack vector exploits 'security theater,' developer claims

By Mike Peterson

A macOS developer has discovered an exploit that can bypass the operating system's file privacy and security protections.

Credit: Apple

The exploit, created by developer Jeff Johnson, impacts the "Transparency, Consent, and Control" (TCC) framework that was introduced in macOS Mojave. Johnson also tested the exploit in macOS Catalina and the first macOS Big Sur beta.

Essentially, the TCC framework restricts the ability for apps in macOS to access certain protected files or folders. As an example, Johnson writes that an app may not have access to the ~/Library/Safari folder unless it is explicitly granted.

In a blog post disclosing the exploit, Johnson said that there are two fatal flaws to the protections -- exceptions are based on a bundle identifier instead of a file path, and the system only "superficially" checks an app's code signature.

"Thus, an attacker can make a copy of an app at a different location on disk, modify the resources of the copy, and the copy of the app with modified resources will still have the same file access as the original app, in this case, Safari," Johnson wrote.

An example of the disk and folder privacy protections that the exploit can bypass.

A proof-of-concept attack created by the developer uses a flaw in Safari to leverage those vulnerabilities. It involves a modified version of Safari which can access protected files and send off private data to a server. The second app is the one that actually downloads and launches the modified Safari -- a task that any app downloaded from the web can accomplish.

Because of the exploit, Johnson claims that the Mac's privacy protections are "mainly security theater and only harm legitimate Mac developers allowing apps to bypass them through many existing holes."

The developer first disclosed the bug to the Apple Security Bounty program in December 2019, sparking several months of back-and-forth updates. Although Apple Product Security told Johnson they'd fix the issue in spring 2020, he said that it's still present in the macOS 11 Big Sur beta.

How to avoid or mitigate this vulnerability

Importantly, the exploit only really impacts the privacy protections built into macOS Mojave and later. In other words, it takes macOS security back to High Sierra and earlier.

Because of that, Johnson writes that the level of concern over the vulnerability really depends on "how you feel in general about macOS privacy protections."

The exploit can be leveraged by non-sandboxed malicious apps on a Mac, so the best mitigation strategy would be to exercise caution when downloading any app not from the Mac App Store.