- Security researchers find a way to leak sensitive data through FileProvider
- The bug abuses the framework’s elevated privileges
- Apple patch resolves issue by improving validation of symbolic links
apple Fixed a vulnerability in iOS and macOS that could be abused to steal a victim’s sensitive data.
Cybersecurity researchers at Jamf Threat Labs recently discovered and reported a vulnerability in FileProvider, a framework in macOS and iOS that enables applications to manage and access files stored on remote servers or locally.
This vulnerability, numbered CVE-2024-44131 and severity 5.3, stems from elevated privileges in the framework and can be abused to move files or even upload them to remote servers controlled by the attacker.
Action symbol link
The vulnerability bypasses Apple’s Transparency, Consent, and Controls (TCC) framework, which is often described as a “critical security protection” mechanism for Apple devices.
“This TCC bypass allows unauthorized access to files and folders, health data, microphone or camera, etc. without alerting the user,” Jamf said. “This erodes user trust in the security of iOS devices and Putting personal data at risk.”
In theory, if a threat actor could run a malicious app in an Apple device, it could intercept users’ actions to move or copy files in the FILEs app and send them to a location under their control.
“Specifically, when a user uses Files.app to move or copy files or directories in a directory that is accessible to a malicious application running in the background, an attacker can manipulate symlinks to trick the Files application,” Jamf added. “New The symlink attack method first copies an innocent file, providing a detectable signal to the malicious process that the copy has begun, and then inserts the symlink after the copy process has begun, effectively bypassing the symlink check.”
Apple fixed the bug in iOS 18, iPadOS 18 and macOS Sequoia 15, improved the verification of symbolic links (symlinks), and recommended that users apply the patch as soon as possible.
through Hacker News