As Apple announced macOS 11 Big Sur at WWDC 2020, claiming that it will have major improvements as compared to macOS Catalina , a professional MAC and IOS developer reveals a Mac privacy bug .
When MacOs Mojave was introduced , Apple claimed that it would provide additional protection for the user’s private data. A privacy protections system (TCC : Transparency ,Consent, Control) was introduced in Mojave to protect the files on our Mac from access by unauthorised applications. A researcher found a way to hinder the private data of users that too with an unauthorised app , thus bypassing the privacy of the users . He claimed that this exists in Mojave,Catalina and Big Sur Beta as well.
When Apple introduced its Apple Security Bounty Program ,like many other researchers he too reported a zero day exploit that can give an unauthorised app access to some private files , without being given the authorisation . He claimed that the flaw remains unpatched for about 10 months and thus he opened about the flaw in public . He termed the MacOs Privacy protections as “Security Theater”. Let’s look into the report he sent to Apple Product Security.
THE ZERO DAY
The security researcher reverse engineered the Safari application which is used in macOS as a web browser. As claimed above, the researcher said that this zero day allow any unauthorized app to bypass the privacy protection provided by Apple, for which its products are well known . The researcher tested a sample of code and run it. He claims that his app will allow to access /Library/Safari/TopSites.plist and send the contents of that file to the domain which is owned by attacker himself through HTTP POST request.
The researcher develop an app which makes a copy of the Safari Application in the other location rather than what is occupied by the original Safari in the disk location. Here also a big flaw by macOS is that it didn’t check every parameter of code signature of an app properly. Thus any unauthorized application with some parameters of its signature satisfying this Apple security check, can bypass this.
Finally as claimed by the researcher, his app make a copy of the Safari application and replace the “Safari.app/Contents/Resources/HTMLViewController.js” with the modified version. Here is the code snippet inside the application that reveals this change.