According to a pair of researchers at the Black Hat US 2021 event, there is no shortage of ways to bypass privacy mechanisms in Apple’s macOS operating system. While Apple does have a bug bounty program to reward researchers for disclosing flaws, the time it takes to fix issues is a real concern.
Wojciech Reguła, senior IT security specialist at SecuRing, explained that at the core of macOS is the Transparency, Consent and Control (TCC) system. Regula said that macOS users are familiar with the privacy tab in TCC, which grants permissions to applications to operate. Alongside Csaba Fitzl, content developer at Offensive Security, Regula enumerated a list of over 20 different ways that TCC can potentially be abused or bypassed to leak private information.
One of the ways that TCC can be bypassed is via application plug-ins, which is what CVE-2020-27937 does, which is a vulnerability disclosed by Regula and patched in macOS 11.0.1. With that vulnerability, the application plug-in abuses the authorizations from the macOS directory utility to get unauthorized access.
Process injection is another way TCC can be bypassed, which is something that CVE-2020-10006 enables, which was also patched in macOS 11.0.1. More recently, Apple patched CVE-2021-30751 in macOS 11.4, which is a TCC bypass in the Notes application that is part of the operating system.
In particular, Regula noted that third-party apps are quite useful for enabling TCC bypasses through process injection. In his view, all apps built with the Electron JavaScript framework are vulnerable by default in current versions of macOS. The Firefox web browser is also vulnerable to a TCC process injection attack on macOS.
Another way that TCC can be bypassed is via application behavior. For example, Fitzl noted that some applications move files when they execute an operation, and that movement might enable access to private files. That type of bypass can lead to information leaks, according to Fitzl. In the last two years, Fitzl and Regula have reported no less than five different vulnerabilities in TCC that can lead to info leaks.
Why Apple’s Security Bounty Needs to Improve
The two researchers noted they have submitted all the vulnerabilities they find via the Apple Security Bounty (ASB) program, which rewards researchers for responsibly disclosing issues.
Fitzl noted that ASB has a category for privacy bypasses, which can range from $25,000 for small leaks, up to $100,000 USD for major bypasses. While the payouts can be substantial, Fitzl argued that the bug fixes can be really slow. Additionally, he complained that there is a lack of transparency from Apple about when, or even if, a reported issue will be fixed. In fact, Fitzl noted that in at least one case it took two years for a submitted issue to be patched by Apple. Fitzl also complained that there can sometimes be a very delayed response to an initial report, with one case taking seven months to get a response.
"There are a lot of things that Apple should improve," Regula said. "For example, I would like to see a transparent way to see the current state of bug reports, if they are fixed or there are plans to fix, because we have heard about a lot of silent fixes."