{"id":29405,"date":"2020-07-02T16:46:53","date_gmt":"2020-07-02T20:46:53","guid":{"rendered":"https:\/\/mjtsai.com\/blog\/?p=29405"},"modified":"2021-07-13T11:53:33","modified_gmt":"2021-07-13T15:53:33","slug":"safari-privacy-protections-bypass","status":"publish","type":"post","link":"https:\/\/mjtsai.com\/blog\/2020\/07\/02\/safari-privacy-protections-bypass\/","title":{"rendered":"Safari Privacy Protections Bypass"},"content":{"rendered":"<p><a href=\"https:\/\/lapcatsoftware.com\/articles\/disclosure2.html\">Jeff Johnson<\/a> (<a href=\"https:\/\/twitter.com\/lapcatsoftware\/status\/1277936895905927172\">tweet<\/a>, <a href=\"https:\/\/news.ycombinator.com\/item?id=23689364\">Hacker News<\/a>):<\/p>\n<blockquote cite=\"https:\/\/lapcatsoftware.com\/articles\/disclosure2.html\"><p>The privacy protections system (also known as TCC: Transparency, Consent, and Control) was introduced in macOS Mojave, and one of its purposes is to protect certain files on your Mac from access by unauthorized apps. I&rsquo;ve discovered a way for an unauthorized app to read the contents of protected files, thus bypassing the privacy protections.<\/p><p>[&#8230;]<\/p><p>It&rsquo;s been over 6 months since I reported the issue to Apple. This is well beyond the bounds of &ldquo;responsible disclosure&rdquo;, which is typically 90 days after reporting an issue to a vendor. It&rsquo;s also becoming obvious that I will never get paid a bounty by Apple for anything I&rsquo;ve reported to them, or at least not within a reasonable amount of time. I&rsquo;m not interested in waiting years for a bounty. I can&rsquo;t speak for anyone else, but my personal experience is that the Apple Security Bounty Program has been a disappointment, and I don&rsquo;t plan to participate again in the future.<\/p><\/blockquote>\n\n<p>An app can make a copy of Safari, modify a JavaScript file in it, and exfiltrate private Safari data. The system trusts the bundle identifier on the copy and doesn&rsquo;t do a full check of the code signature (or even check the path) to make sure it&rsquo;s the real Safari.<\/p>\n\n<p><a href=\"https:\/\/twitter.com\/theevilbit\/status\/1277958577475383316\">Csaba Fitzl<\/a>:<\/p>\n<blockquote cite=\"https:\/\/twitter.com\/theevilbit\/status\/1277958577475383316\">\n<p>you should have waited, I have worse ASB timelines than this :)<\/p>\n<\/blockquote>\n\n<p><a href=\"https:\/\/news.ycombinator.com\/item?id=23691087\">Jeff Johnson<\/a>:<\/p>\n<blockquote cite=\"https:\/\/news.ycombinator.com\/item?id=23691087\"><p>We know that TCC is a major burden for legitimate Mac apps. But is it a major burden for malware? That&rsquo;s the question, and it seems to me the answer is no. There are so many holes in this system, it only stops the good developers who wouldn&rsquo;t stoop to using the countless hacks readily available to malware developers.<\/p><\/blockquote>\n\n<p>He also found a <a href=\"https:\/\/twitter.com\/lapcatsoftware\/status\/1278317608618602497\">sandbox escape<\/a>.<\/p>\n\n<p>Previously:<\/p>\n<ul>\n<li><a href=\"https:\/\/mjtsai.com\/blog\/2020\/06\/01\/sign-in-with-apple-vulnerability\/\">Sign in With Apple Vulnerability<\/a><\/li>\n<li><a href=\"https:\/\/mjtsai.com\/blog\/2020\/05\/19\/apple-vs-security-researchers\/\">Apple vs. Security Researchers<\/a><\/li>\n<li><a href=\"https:\/\/mjtsai.com\/blog\/2020\/04\/28\/mac-sandbox-escape-via-textedit\/\">Mac Sandbox Escape via TextEdit<\/a><\/li>\n<li><a href=\"https:\/\/mjtsai.com\/blog\/2019\/12\/20\/mac-bug-bounty-program-opens\/\">Mac Bug Bounty Program Opens<\/a><\/li>\n<li><a href=\"https:\/\/mjtsai.com\/blog\/2019\/02\/05\/mojave-privacy-protection-aftermath\/\">Mojave Privacy Protection Aftermath<\/a><\/li>\n<li><a href=\"https:\/\/mjtsai.com\/blog\/2018\/09\/25\/bypassing-mojave-security-protections\/\">Bypassing Mojave Security Protections<\/a><\/li>\n<li><a href=\"https:\/\/mjtsai.com\/blog\/2018\/09\/10\/mojaves-new-security-and-privacy-protections-face-usability-challenges\/\">Mojave&rsquo;s New Security and Privacy Protections Face Usability Challenges<\/a><\/li>\n<\/ul>\n\n<p id=\"safari-privacy-protections-bypass-update-2020-07-06\">Update (2020-07-06): See also: <a href=\"https:\/\/www.theregister.com\/2020\/07\/01\/apple_macos_privacy_bypass\/\">Thomas Claburn<\/a>.<\/p>\n\n<p id=\"safari-privacy-protections-bypass-update-2020-09-28\">Update (2020-09-28): <a href=\"https:\/\/twitter.com\/lapcatsoftware\/status\/1306350935959056385\">Jeff Johnson<\/a>:<\/p>\n<blockquote cite=\"https:\/\/twitter.com\/lapcatsoftware\/status\/1306350935959056385\">\n<p>Safari 14 partially ameliorates this.<\/p>\n<p>No credit or bug bounty for me, because Apple Product Security sucks.<\/p>\n<\/blockquote>\n\n<p>Previously:<\/p>\n<ul>\n<li><a href=\"https:\/\/mjtsai.com\/blog\/2020\/09\/18\/safari-14\/\">Safari 14<\/a><\/li>\n<\/ul>","protected":false},"excerpt":{"rendered":"<p>Jeff Johnson (tweet, Hacker News): The privacy protections system (also known as TCC: Transparency, Consent, and Control) was introduced in macOS Mojave, and one of its purposes is to protect certain files on your Mac from access by unauthorized apps. I&rsquo;ve discovered a way for an unauthorized app to read the contents of protected files, [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"apple_news_api_created_at":"2020-07-02T20:46:57Z","apple_news_api_id":"7235ea64-7970-449e-be3e-10036ec5ebd9","apple_news_api_modified_at":"2021-07-13T15:53:36Z","apple_news_api_revision":"AAAAAAAAAAAAAAAAAAAABA==","apple_news_api_share_url":"https:\/\/apple.news\/AcjXqZHlwRJ6-PhADbsXr2Q","apple_news_coverimage":0,"apple_news_coverimage_caption":"","apple_news_is_hidden":false,"apple_news_is_paid":false,"apple_news_is_preview":false,"apple_news_is_sponsored":false,"apple_news_maturity_rating":"","apple_news_metadata":"\"\"","apple_news_pullquote":"","apple_news_pullquote_position":"","apple_news_slug":"","apple_news_sections":"\"\"","apple_news_suppress_video_url":false,"apple_news_use_image_component":false,"footnotes":""},"categories":[2],"tags":[2098,2095,465,30,1609,1666,1891,355,103,53,1960],"class_list":["post-29405","post","type-post","status-publish","format-standard","hentry","category-technology","tag-apple-security-bounty","tag-exploit","tag-gatekeeper","tag-mac","tag-macos-10-14","tag-macos-10-15","tag-macos-11-0","tag-privacy","tag-safari","tag-sandboxing","tag-transparency-consent-and-control-tcc"],"apple_news_notices":[],"_links":{"self":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/29405","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/comments?post=29405"}],"version-history":[{"count":3,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/29405\/revisions"}],"predecessor-version":[{"id":30265,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/29405\/revisions\/30265"}],"wp:attachment":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/media?parent=29405"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/categories?post=29405"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/tags?post=29405"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}