![Apple macOS and iOS vulnerability](https://media.cybernews.com/images/featured-big/2024/12/icloud.jpg)
A serious security flaw in Apple iOS and macOS enables malicious apps to bypass security controls and secretly access personal information. Apple patched the issue in its September 16th releases of iOS 18 and macOS 15.
The vulnerability, labeled CVE-2024-44131, has been assigned a base severity score of 5.5 out of 10.
It affects Apple’s Transparency, Consent, and Control (TCC) subsystem, which prompts users whether to grant or deny permissions when the app requests access to sensitive data, such as photos, contacts, location, and others.
Researchers demonstrated that it can be exploited to gain malicious access to sensitive information stored on iCloud.
The flaw was discovered by 08Tc3wBB and Jamf, a cybersecurity company specializing in securing Apple devices.
“Should this TCC bypass vulnerability be successfully exploited on an unpatched device, users could unwittingly have their sensitive data accessed by another application (including any malicious applications) on their device,” the firm said.
“Wariness around Apple Intelligence may be preventing some organizations from applying the latest operating systems updates, which leaves this attack vector open for exploitation,” warns Michael Covington, VP of Portfolio Strategy at Jamf.
How does this TCC bypass work?
TCC asks for user permission before an app can access sensitive data. The TCC bypass vulnerability occurs when this control fails.
The flaw was discovered in File Provider, Apple’s system for sharing and managing files among apps.
A potential attacker could craft a malicious app – when installed on the device, it lurks and waits for the user to use the Files.app to move or copy files. Files.app is a management app for organizing files on a device and in cloud storage.
When the malicious app detects this operation, it creates a special shortcut (symlink) to redirect the files elsewhere. When files are moved or copied within accessible directories, the attackers can manipulate symlinks and deceive the Files.app.
This way the malicious app could hijack moved or copied files without triggering any prompt.
“Once data has been copied, the attacker can then hide directories or upload it to a remote server.”
According to Jamf Threat Lab, this TCC bypass allows unauthorized access to Files and folders, Health data, the Microphone or Camera, and more without alerting users.
“This exploitation can happen in the blink of an eye, entirely undetected by the end user,” the Jamf report said.
“It allows apps to sidestep these TCC controls and access user data without any notification.”
The type of data the malicious app could access depends on which system process is executing the operation. Files.app has special entitlements that provide privileges not accessible to regular applications.
Researchers built a proof of concept, a regular iOS app that monitors a file within its document folder and redirects it once the user tries to copy or move it. It was able to leak data from WhatsApp stored on iCloud.
Users should immediately update their iPhones, iPads and Macs to the latest OS versions to safeguard against the flaw.
Many US employees use personal phones for work, putting sensitive data in danger.
“This vulnerability shows that mobile devices should not be considered “safe” or low-risk endpoints. The reality of mobile threats underscores the importance of treating all endpoints – whether desktops or mobile devices – with the same security rigor,” Jamf researchers said.
They believe this discovery highlights a broader security concern: attackers can access data from multiple locations and focus on the weakest connected systems.
Cloud services allow data to sync across multiple devices, creating a variety of entry points for attackers.
Your email address will not be published. Required fields are markedmarked