After six months of stonewalling by Apple, app dev goes public with macOS privacy protection bypass

So much for preventing malicious software from peeking at sensitive files

Six months after software developer Jeff Johnson told Apple about a privacy bypass vulnerability opening up protected files in macOS Mojave, macOS Catalina, and the upcoming macOS Big Sur, the bug remains unfixed – so he's going public.

Johnson, who runs app developer Lapcat Software, said he submitted details about the problem to Apple's Security Bounty program on the day it opened for business, December 19, 2019. The problem appears to be with Apple's Transparency, Consent, and Control sandboxing system.

Essentially, naughty apps can exploit the bug to access protected files, such as your browser history, that should be off limits.

In a blog post on Tuesday, he explains that after asking Apple for a status update in January this year, in April, and again in June, and being told each time the iGiant is still investigating, he has decided to disclose his findings in an effort to push back against the tech titan's boasts about security and privacy.

"For technical reasons, I don't believe that the issue will be fixed by Apple before Big Sur is released to the public in the Fall," he wrote. "I've seen no evidence that Big Sur makes any effort in this direction, and Apple's email to me shows no evidence of that either. Therefore, I'm disclosing the issue now."

He revealed a similar issue last October after reporting it in February of that year and waited eight months for Apple to fix it, to no avail.

Mutiny on the Bounty

Johnson in his post expressed dissatisfaction with the Apple Security Bounty program, calling the experience a disappointment and stating he doesn't intend to participate in the future.

"Talking to Apple Product Security is like talking to a brick wall," he said in an email to The Register. "I suspect that Apple doesn't trust outsiders with any information, but this attitude is counterproductive, because it just alienates the people who report bugs, and turns them away from bug reporting. Distrust from one side causes distrust from the other side too."

Apple CEO Tim Cook, WWDC 2020

Apple says if developers are unhappy with its App Store decisions, it will entertain appeals against its rulings – and even its own rules


This latest bug can be exploited by a maliciously crafted app to bypass a privacy system known as Transparency, Consent, and Control (TCC) that was introduced in OS X Mavericks and got strengthened in subsequent releases through technologies like System Integrity Protection (SIP) in El Capitan (the branding transition from Mac OS X to macOS didn't happen until mid-2016).

Starting in 2018, with macOS Mojave, TCC expanded to require apps to get special permission to run AppleScript, and that's when, Johnson says, developers really took notice of it.

TCC is a sandboxing system designed to enforce user privacy decisions, like approving or denying app access to location data or data stored in files like the contacts database. What Johnson discovered is a way to let unauthorized apps access protected files.

His proof-of-concept code demonstrates how a user-installed macOS app can access files that should be protected by TCC, specifically in ~/Library/Safari directory, and then posts the data to a remote server. The files stored in that directory include lists of bookmarks, browser history, downloads, and other data related to browsing sessions. If another app were targeted, the bypass would provide access to other app-specific files.

The bypass is made possible by two flaws. First, exceptions to TCC blocking – specified by the file ~/Library/Application Support/ – rely on the app's bundle identifier instead of the file path. So an app with a copy of that identifier in another location gets treated as the original, authorized app. The other is that TCC's code signature check is not very thorough and doesn't spot modified resources, because running a deep check of an app and its resource files can take a long time.

Johnson acknowledged that a privacy flaw leaking data is not particularly serious as far as such bugs go, but maintained it's not something that should be ignored.

"If you believe that macOS privacy protections are important, then yes, this is a very serious issue," he said via email.

"On the other hand, if you were very satisfied with the level of macOS system security that existed prior to 2018, then no, you might not care about this much. In either case, though, it's a serious design flaw in the privacy protections system."

Johnson said he chose to write about the flaw because he felt Apple's increasing use of restrictive privacy systems limits what legitimate developers can do without hindering the ill-intentioned building malware.

"My personal opinion is that macOS privacy protections are mainly security theater and only harm legitimate Mac developers while allowing malware apps to bypass them through many existing holes such as the one I'm disclosing, and that other security researchers have also found," Johnson wrote.

Apple did not respond to a request for comment. ®

Other stories you might like

  • Cheers ransomware hits VMware ESXi systems
    Now we can say extortionware has jumped the shark

    Another ransomware strain is targeting VMware ESXi servers, which have been the focus of extortionists and other miscreants in recent months.

    ESXi, a bare-metal hypervisor used by a broad range of organizations throughout the world, has become the target of such ransomware families as LockBit, Hive, and RansomEXX. The ubiquitous use of the technology, and the size of some companies that use it has made it an efficient way for crooks to infect large numbers of virtualized systems and connected devices and equipment, according to researchers with Trend Micro.

    "ESXi is widely used in enterprise settings for server virtualization," Trend Micro noted in a write-up this week. "It is therefore a popular target for ransomware attacks … Compromising ESXi servers has been a scheme used by some notorious cybercriminal groups because it is a means to swiftly spread the ransomware to many devices."

    Continue reading
  • Twitter founder Dorsey beats hasty retweet from the board
    As shareholders sue the social network amid Elon Musk's takeover scramble

    Twitter has officially entered the post-Dorsey age: its founder and two-time CEO's board term expired Wednesday, marking the first time the social media company hasn't had him around in some capacity.

    Jack Dorsey announced his resignation as Twitter chief exec in November 2021, and passed the baton to Parag Agrawal while remaining on the board. Now that board term has ended, and Dorsey has stepped down as expected. Agrawal has taken Dorsey's board seat; Salesforce co-CEO Bret Taylor has assumed the role of Twitter's board chair. 

    In his resignation announcement, Dorsey – who co-founded and is CEO of Block (formerly Square) – said having founders leading the companies they created can be severely limiting for an organization and can serve as a single point of failure. "I believe it's critical a company can stand on its own, free of its founder's influence or direction," Dorsey said. He didn't respond to a request for further comment today. 

    Continue reading
  • Snowflake stock drops as some top customers cut usage
    You might say its valuation is melting away

    IPO darling Snowflake's share price took a beating in an already bearish market for tech stocks after filing weaker than expected financial guidance amid a slowdown in orders from some of its largest customers.

    For its first quarter of fiscal 2023, ended April 30, Snowflake's revenue grew 85 percent year-on-year to $422.4 million. The company made an operating loss of $188.8 million, albeit down from $205.6 million a year ago.

    Although surpassing revenue expectations, the cloud-based data warehousing business saw its valuation tumble 16 percent in extended trading on Wednesday. Its stock price dived from $133 apiece to $117 in after-hours trading, and today is cruising back at $127. That stumble arrived amid a general tech stock sell-off some observers said was overdue.

    Continue reading
  • Amazon investors nuke proposed ethics overhaul and say yes to $212m CEO pay
    Workplace safety, labor organizing, sustainability and, um, wage 'fairness' all struck down in vote

    Amazon CEO Andy Jassy's first shareholder meeting was a rousing success for Amazon leadership and Jassy's bank account. But for activist investors intent on making Amazon more open and transparent, it was nothing short of a disaster.

    While actual voting results haven't been released yet, Amazon general counsel David Zapolsky told Reuters that stock owners voted down fifteen shareholder resolutions addressing topics including workplace safety, labor organizing, sustainability, and pay fairness. Amazon's board recommended voting no on all of the proposals.

    Jassy and the board scored additional victories in the form of shareholder approval for board appointments, executive compensation and a 20-for-1 stock split. Jassy's executive compensation package, which is tied to Amazon stock price and mostly delivered as stock awards over a multi-year period, was $212 million in 2021. 

    Continue reading
  • Confirmed: Broadcom, VMware agree to $61b merger
    Unless anyone out there can make a better offer. Oh, Elon?

    Broadcom has confirmed it intends to acquire VMware in a deal that looks set to be worth $61 billion, if it goes ahead: the agreement provides for a “go-shop” provision under which the virtualization giant may solicit alternative offers.

    Rumors of the proposed merger emerged earlier this week, amid much speculation, but neither of the companies was prepared to comment on the deal before today, when it was disclosed that the boards of directors of both organizations have unanimously approved the agreement.

    Michael Dell and Silver Lake investors, which own just over half of the outstanding shares in VMware between both, have apparently signed support agreements to vote in favor of the transaction, so long as the VMware board continues to recommend the proposed transaction with chip designer Broadcom.

    Continue reading

Biting the hand that feeds IT © 1998–2022