Wednesday, October 9, 2019

File System Events Privacy Protections Bypass

Jeff Johnson (tweet):

Two months later, Apple has shipped major updates to all of their operating systems. Yesterday, macOS 10.15 Catalina was released. And yet, the new bug bounty program has not opened. Perhaps the public assumes that the bug bounty program has already expanded, but it has not. To this day, there’s still no Mac bug bounty program. Apple announced the expanded bug bounty program while their major OS updates were still in beta testing, but Apple did not open the bug bounty program during the beta testing period. The irony is that the new program was announced to offer increased bounties for bugs found in pre-release software, but no opportunity was given for that to occur.


I did not give Apple a deadline, but many security researchers give vendors only 90 days before they disclose a reported vulnerability. I reported mine to Apple 8 months ago, so they’ve had a lot of time.

Apple has since said that this vulnerability is not eligible for the bounty (because it’s only for privacy, not security?), so he’s disclosing it and saving the other two that he found until the bug bounty program opens:

An app without special permissions can register for notifications of file system events that occur in directories that are supposed to be protected. These file system event notifications can disclose private information that the app should not have access to.


I said, “a malware app could secretly violate a user’s privacy by examining their web browsing history.” How is this possible with file system events? If you look inside the directory ~/Library/Safari/LocalStorage, you’ll see that Safari saves local storage files that are named after their associated web sites, for example, The File System Events API can’t see the file contents, but it can see the file names! And because Safari names files after the web sites you visit, the File System Events API can be used to determine your web browsing history.


4 Comments RSS · Twitter

To clarify, the vulnerability is not eligible for the bounty simply because it was already reported 8 months ago, and the Mac bug bounty program does not exist yet. I had hoped the bug might qualify because it hasn't been fixed yet, but apparently that doesn't matter as far as a bounty is concerned.

@Jeff Wow, so now they’re incentivizing people to not report vulnerabilities?

@Michael At the moment, yes. ¯\_(ツ)_/¯

So, Apple imposes all manner of time-consuming/functionally-restricting requirements on 3rd-party devs in the name of security, yet they themselves leave glaring stuff like this unpatched for the better part of a year?

Leave a Comment