Tuesday, March 29, 2022

CoreFollowUp Phishing

Guilherme Rambo:

The only problem is that such a scary-looking alert, right within System Preferences, could be sent by ANY app running on your Mac. The malicious scenario would involve an app that looks like a simple, regular app (it could even be a sandboxed app) sending such a notification, which would then open up an Apple ID login panel that when submitted sent your email and password to the bad actor. The notification could even be made to look like it came from the System Preferences app itself, making it much more believable.


CoreFollowUp is used by several components of both macOS and iOS, and they communicate with it through a daemon called followupd. The problem was that the daemon failed to validate connections made to it on macOS, which meant that any process that could look up its Mach service (including sandboxed apps) would be able to send it commands, including ones that would trigger that scary dialog within System Preferences.


A more complete fix was released in macOS 12.3, preventing any random binary on the system from talking to the daemon and registering notifications, regardless of the destination URL. Apple addressed it by introducing a new entitlement: com.apple.private.followup.


This was my first time ever participating in Apple’s bug bounty program. […] All in all, this was a mostly positive experience. The main thing I don’t like about how Apple does it is that they don’t communicate very well throughout the process, and it can take them a really long time to completely address an issue.


Comments RSS · Twitter

Leave a Comment