Thursday, July 2, 2020

Safari Privacy Protections Bypass

Jeff Johnson (tweet, Hacker News):

The privacy protections system (also known as TCC: Transparency, Consent, and Control) was introduced in macOS Mojave, and one of its purposes is to protect certain files on your Mac from access by unauthorized apps. I’ve discovered a way for an unauthorized app to read the contents of protected files, thus bypassing the privacy protections.


It’s been over 6 months since I reported the issue to Apple. This is well beyond the bounds of “responsible disclosure”, which is typically 90 days after reporting an issue to a vendor. It’s also becoming obvious that I will never get paid a bounty by Apple for anything I’ve reported to them, or at least not within a reasonable amount of time. I’m not interested in waiting years for a bounty. I can’t speak for anyone else, but my personal experience is that the Apple Security Bounty Program has been a disappointment, and I don’t plan to participate again in the future.

An app can make a copy of Safari, modify a JavaScript file in it, and exfiltrate private Safari data. The system trusts the bundle identifier on the copy and doesn’t do a full check of the code signature (or even check the path) to make sure it’s the real Safari.

Csaba Fitzl:

you should have waited, I have worse ASB timelines than this :)

Jeff Johnson:

We know that TCC is a major burden for legitimate Mac apps. But is it a major burden for malware? That’s the question, and it seems to me the answer is no. There are so many holes in this system, it only stops the good developers who wouldn’t stoop to using the countless hacks readily available to malware developers.

He also found a sandbox escape.


Update (2020-07-06): See also: Thomas Claburn.

Update (2020-09-28): Jeff Johnson:

Safari 14 partially ameliorates this.

No credit or bug bounty for me, because Apple Product Security sucks.


Comments RSS · Twitter

Leave a Comment