Archive for July 3, 2020

Friday, July 3, 2020 [Tweets] [Favorites]

mount_apfs TCC Bypass and Privilege Escalation

Csaba Fitzl (tweet):

We could mount the entire file system through APFS snapshots as read-only, with the noowners flag, which enables us accessing (almost) every file in the file system, including data (documents, files, etc…) of every user on the system, including those protected by Apple’s privacy framework (TCC). Even with the Guest account we could read files of admin accounts as Guest! 😱

[…]

At the beginning of March 2020, Apple said that the fix is shipped in Catalina 10.15.4 beta, they didn’t tell a word how they fixed it. I quickly jumped on it, and I found that the trick still works. I was puzzled. After some testing it turned out that they tied this to the Full Disk Access (FDA) right in TCC (kTCCServiceSystemPolicyAllFiles), which I found wrong.

As he explains:

This still violates the basic BSD security model, as you can read other user’s file, without elevating to root. […] Even if SIP is ON and Terminal has Full Disk Access, you can’t see other user’s files with it - with this vulnerability you can.

But Apple still considers it to be fixed.

Thomas Reed:

Absolutely ridiculous fix, I agree. Gating the fix behind a gate that most people will have open is bad. Of course, FDA for Terminal is just bad in general, yet there’s no good way for technical users to NOT give FDA to Terminal. 😞

It’s like Apple has designed TCC in such a way that you have to make an insecure config change to get real work done, but they can say, “Well, you would have been safe if you hadn’t made an insecure config change.” 😒

And there are lots of other apps that needs Full Disk Access, for one reason or another, but they shouldn’t be given access to other users’ files.

Previously:

Big Sur’s Narrow Alerts

Craig Hockenberry:

Why do I have this
huge ass screen on
my Mac and am now
reading alerts with
four or five words in
each line?

Seems like a bad
idea when a majority
of Macs have a
display with landscape
orientation. Portrait
makes sense on a phone,
but I find it hard to
use on a Big
Sur desktop.

The reason is to make it look more like iOS, perhaps so that iOS apps running on macOS 11 fit in better. We’re continually told that macOS and iOS are not merging, and that the Mac will still be the Mac, yet Apple continues to make changes to macOS like this that degrade the user experience in favor of consistency with iOS. Look at the Catalyst apps. Even the praised Messages app is gaining bugs and losing features like transcripts, AppleScript, and good keyboard support that weren’t in the iOS version.

Apple:

Alerts are cardlike rectangles that use the same corner radius as all windows in macOS 11. Within an alert, most content is center aligned.

Centered text is difficult to read when there are multiple lines. It’s also disorienting that sometimes the buttons are arranged horizontally and other times vertically. And it introduces an incosistency with dialogs, which often are just alerts with more content, but now they have different text alignment and a different style of button.

Previously:

Update (2020-08-19): Jeff Johnson:

These iOS style alerts in Big Sur are great.

Look at that scroll bar.

Update (2020-09-08): Riccardo Mori (tweet):

Their layout is also inconsistent [buttons side-by-side vs. stacked].

[…]

This second dialog box, as you can see, has an additional problem: the text block is longer than the space afforded. It looks truncated, but actually you can read it in its entirety by hovering over it with the mouse and scrolling down. Something that’s not at all apparent at first glance, by the way.

[…]

Another inconsistency is that sometimes — like in previous Mac OS versions — one of the buttons will be highlighted (see the first dialog above, from Mail), other times all buttons are grey.

[…]

Yet another inconsistency is that dialogs like this one essentially retain the old design[…]

In this example, the dialog is slightly off the beaten path, with a checkbox and text that updates, so probably the NSAlert API could not be used. As a result, the layout and styling are totally different.

Update (2020-09-28): Peter Steinberger:

Contrast.

Update (2020-11-20): John Gruber:

I get it that a lot of things are subjective, beauty is in the eye of the beholder, etc, but how can anyone say these alerts with all the text centered look good? Or are even legible? I like Big Sur overall, but this change is just baffling.

Nick Heer:

Dialog boxes build upon these flaws by inexplicably centring their contents and stacking action buttons at the bottom. Sometimes, those buttons appear side-by-side; I think this is only the case if there are exactly two actions. In any case, these dialogs are often very tall with small and hard to read text, but the buttons are unnecessarily large. At the very least, it is a truly strange use of space on displays of all sizes. In most cases, I think they are an unforced regression.

Damien Petrilli:

OMG this checkbox is almost invisible.

Update (2020-12-09): Max Seelemann:

The perils of running 10 Mac minis on a CI, todays finding: why the hell does the same alert look different on two identical Macs with identical (scripted) setup?

Only difference is DNS name, IP address and background color 😂

Update (2020-12-16): Nick Heer:

I have tried — I really have — but centred text in tall dialog boxes is a bad idea that needs to be changed.

Update (2021-01-01): Peter Steinberger:

Something tells me nobody tried logging into a VPN since the Big Sur transition to iOS-style alerts. 😬

LinkedIn iOS Clipboard Snooping

Don (via Hacker News):

LinkedIn is copying the contents of my clipboard every keystroke. IOS 14 allows users to see each paste notification.

I’m on an IPad Pro and it’s copying from the clipboard of my MacBook Pro.

Erran Berger (VP of Engineering):

Appreciate you raising this. We’ve traced this to a code path that only does an equality check between the clipboard contents and the currently typed content in a text box. We don’t store or transmit the clipboard contents.

fingerlocks:

It’s an innocuous comparison of text input to the pasteboard to prevent unwanted autocorrect insertions.

It doesn’t seem like iOS 14’s new pasteboard sniffing API would handle this case.

Previously:

Update (2020-07-06): John Gruber:

Even if you really did want to make an app that steals people’s clipboard contents, there’s absolutely no reason you’d check the clipboard contents this frequently. It’s just sloppy programming. But once revealed, a sloppy implementation like LinkedIn’s looks sketchy as hell.

Update (2020-07-27): Hartley Charlton:

Microsoft’s LinkedIn was sued yesterday for allegedly reading and diverting users’ private information using the iOS clipboard.

TikTok iOS Clipboard Snooping

Juli Clover (also: Hacker News):

A new feature in iOS 14 alerts users when apps read the clipboard, and it turns out some apps have been reading clipboard data excessively.

TikTok users who upgraded to iOS 14, for example, quickly noticed constant alerts warning them that TikTok was accessing the clipboard every few seconds. After being caught, TikTok now says that it’s removing the feature.

They say it was doing this to “identify repetitive, spammy behavior.”

John Gruber:

I mean, their explanation makes no sense at all.

Couldn’t they wait until you do something with the clipboard contents?

Other apps also read the clipboard when you aren’t pasting, often for good reasons.

TikTok also seems to try to check which apps you have installed and more:

TikTok is a data collection service that is thinly-veiled as a social network. If there is an API to get information on you, your contacts, or your device... well, they’re using it.

[…]

Here’s the thing though.. they don’t want you to know how much information they’re collecting on you, and the security implications of all of that data in one place, en masse, are fucking huge. They encrypt all of the analytics requests with an algorithm that changes with every update (at the very least the keys change) just so you can’t see what they’re doing. They also made it so you cannot use the app at all if you block communication to their analytics host off at the DNS-level.

Previously: