Friday, April 7, 2023

Mac Security Bugs Expose Location and Safari History

Guilherme Rambo:

However, when it comes to these local XPC services, the assumption that their scope is limited -- both in terms of functionality as well as which processes can even look them up to initiate a connection in the first place — means that not all local XPC services on macOS have strong authentication for clients.


Well, turns out you could just symlink another bundle’s Contents/XPCServices directory into your own app’s Contents/XPCServices, and launchd would happily follow that symlink and allow your app to lookup and connect to a local XPC service embedded in a completely unrelated bundle.


One of the things this service handles is the “Set timezone automatically using your current location” option. When enabled, the preference pane uses the bundled XPC service in order to obtain the current device location. Because the location request goes through TimeZoneService and it has the effective bundle entitlement, what the location icon in the Menu Bar shows is just “Setting Time Zone”.


Safari’s history agent was not validating client processes that connected to it, which meant that any process running on the system could access the user’s Safari browsing history.

He recommends the new setCodeSigningRequirement(_:) API.


Comments RSS · Twitter · Mastodon

Leave a Comment