Privacy Flaw in macOS Allows Safari Clone to Run With Full Access

Jul 1, 2020

A privacy flaw in macOS discovered by developer Jeff Johnson allows full access to private files within Safari's app folders. The zero-day exploit can give a Safari clone app full access to the user's files, tricking them into using it which could enable a hacker to steal their data. The bug was first reported to Apple in December 2019, and impacts macOS 10.14 and later operating system versions.

The flaw, reported by developer Jeff Johnson, exists in the privacy protections system called TCC (Transparency, Consent, and Control) in macOS, which is supposed to prevent unauthorized apps from accessing protected files on your Mac. TCC superficially checks the code signature of an app, and grants exceptions based on its bundle identifier. This means that a hacker can theoretically make a clone of Safari app, place it in a different location on the Mac and modify it to steal data. Due to the privacy protections flaw, the cloned Safari app will still be able to access the private data that the original Safari app has access to.

Apple Seeds iOS 14, iPadOS 14 Beta 4 and macOS Big Sur First Beta to Public Beta Testers

Although the issue was initially reported in December 2019, when Apple launched its Bug Bounty Program, it has been over 6 months and the flaw remains unresolved. Apple has released many macOS Catalina updates since then and none of them have fixed this issue. Based on the status of the bug fix provided by Apple, Jeff believes that even macOS Big Sur has this issue and he does not expect Apple to fix it anytime soon.

The only workaround for now is to ensure that you only install software from reliable sources such as the Mac App Store.

Here's what Jeff Johnson has to say about the issue and Apple's response:

Should you be worried about this issue? That depends on how you feel in general about macOS privacy protections. Prior to Mojave, the privacy protections feature did not exist at all on the Mac, so you're not any worse off now than you were on High Sierra and earlier. My personal opinion is that macOS privacy protections are mainly security theater and only harm legitimate Mac developers while allowing malware apps to bypass them through many existing holes such as the one I'm disclosing, and that other security researchers have also found. I feel that if you already have a hostile non-sandboxed app running on your Mac, then you're in big trouble regardless, so these privacy protections won't save you. The best security is to be selective about which software you install, to be careful to avoid ever installing malware on your Mac in the first place. There's a reason that my security research has focused on macOS privacy protections: my goal is to show that Apple's debilitating lockdown of the Mac is not justified by alleged privacy and security benefits. In that respect, I think I've proved my point, over and over again. In any case, you have the right to know that the systems you rely on for protection are not actually protecting you.

via VentureBeat