New macOS vulnerability allows unauthorized data access

A new macOS vulnerability could allow a malicious actor to evade an operating system’s Transparency, Consent, and Control (TCC) technology, providing the attacker with unauthorized access to a legitimate user’s protected information. The vulnerability, dubbed HM Surf, removes TCC protection in the directory for the Safari browser. It then alters a configuration file in this directory, allowing the malicious actor to gain access to the user’s information. The information accessed may include:

• Browsed pages
• Device camera and microphone
• Device location

The vulnerability is specific to how the Safari browser addresses Transparency, Consent, and Control (TCC) permissions. These TCC details are stored in the user’s “~/Library/Safari” folder, in sqlite3 database PerSitePreferences.db, (which any user can interrogate with simple commands like:

sqlite3 PerSitePreferences.db

sqlite> SELECT * FROM preference_values; )

In addition, optionally the UserMediaPermissions.plist file(if exists) may contain further configuration details. Defenders can certainly check whether these have been modified and detect the directory change using the DSCL (Directory Service command line) utility as well.

“The exploit claims to use the DSCL tool to modify the home folder which can read without specific permissions, however will require Sudo privileges to modify settings on most Macs, therefore, I believe that the exploit may not be easily and universally abused.”