Jamf uncovers TCC bypass vulnerability allowing stealthy access to iCloud data

9to5Mac Security Bite is brought to you exclusively by Mosyle, the only Apple unified platform. What we do is get Apple devices ready to work and keep your business secure. Our unique integrated approach to management and security combines the most advanced Apple-specific security solutions with the most powerful, modern Apple MDM to enable fully automated hardening and compliance, next-generation EDR, AI-driven Zero Trust and Exclusive rights management in the market. The result is a fully automated Apple unified platform, now trusted by more than 45,000 organizations, to put millions of Apple devices into use effortlessly and at an affordable cost. Request a trial extension Learn why Mosyle is everything you need to work with Apple today.

Last week I received an interesting report from the security research arm of the popular Apple device management software company Jamf It details a critical but now-patched vulnerability in iOS and macOS. This discovery was once banned, but today, I can finally talk about it.

Jamf Threat Lab has discovered a critical vulnerability in the Apple iOS Transparency, Consent, and Control (TCC) subsystem on iOS and macOS that could allow malicious applications to access sensitive user data completely unnoticed. This will not trigger any notifications or user consent prompts.

In the Apple ecosystem, the TCC serves as a very important security framework, prompting users to grant, restrict, or deny individual applications’ requests to access sensitive data. You may encounter these prompts when opening the app for the first time. However, when this control mechanism fails, a TCC bypass vulnerability may occur, which may allow an application to access private information without the user’s explicit consent or knowledge.

The newly discovered vulnerability, tracked as CVE-2024-44131affecting the Files.app and FileProvider.framework system processes and potentially leaking users’ private information, including photos, GPS location, contacts, and health data. Additionally, Jamf said it could allow potentially malicious applications to access a user’s microphone and camera. This vulnerability could occur completely undetected.

how it works

Jamf’s research team discovered that the potential bypass involves symbolic links that exploit the way file operations are handled in iOS. By strategically inserting symbolic links during file copying, a malicious application can intercept and redirect file movement without triggering a TCC prompt.

“When users move or copy files in Files.app, a background malicious application can intercept these actions and redirect the files to a location controlled by the application,” Jamf Threat Lab said. Report explanation. “By exploiting fileproviderd’s elevated privileges, a malicious application can hijack file moves or copies without triggering a TCC prompt. Such exploits can occur in the blink of an eye and are completely undetectable by the end user.

The most concerning aspect of the vulnerability is its potential to secretly access data. Since no TCC prompt is triggered here, users have no indication that their data is being accessed or moved to an attacker-controlled directory.

Particularly vulnerable are files stored in iCloud, especially files in directories such as /var/mobile/Library/Mobile Documents/. In addition to any photos or documents stored here, data from apps like WhatsApp, Pages, and other cloud sync apps can also be included.

It is unclear whether this vulnerability is being actively exploited. Jamf said it immediately reported the issue to Apple, which fixed it in the initial releases of iOS 18 and macOS 15 in September.

You can view the full research from Jamf Threat Lab here.

More information about Apple security

Fforget: Twitter/X, LinkedIn, Number of execution threads