Details have emerged of a patched security vulnerability in Apple’s iOS and macOS that, if successfully exploited, could bypass transparency, consent and controls (TCC) and lead to unauthorized access to confidential information.
Drawback tracked as CVE-2024-44131 (CVSS score: 5.3), resides in the FileProvider component, for Apple, and was resolved with improved symlink (symlink) checking in iOS 18, iPadOS 18and macOS Sequoia 15.
Jamf Threat Labs, which discovered and reported the flaw, said the TCC bypass could be used by a rogue installed on the system to obtain sensitive data without users’ knowledge.
TCC serves as a critical security protection in Apple devices, giving end users the ability to allow or deny applications from requesting access to sensitive data such as GPS location, contacts, and photos, among others.
“This TCC bypass allows unauthorized access to files and folders, health data, microphone or camera, and more without alerting users,” the company said in a statement. said. “This undermines user confidence in the security of iOS devices and puts personal data at risk.”
Essentially, this vulnerability allows a malicious application running in the background to intercept a user’s actions to copy or move files in the Files app and redirect them to a location under their control.
This hijack works by taking advantage of elevated privileges fileproviderda daemon that handles file operations related to iCloud and other third-party cloud file managers to move files so they can be uploaded to a remote server.
“Specifically, if a user moves or copies files or directories using Files.app in a directory accessible to a malicious application running in the background, an attacker can manipulate symlinks to trick the Files app,” Jamf said.
“The new symlink attack method first copies an innocent file, providing a detectable signal to the malicious process that copying has begun. The symlink is then inserted after the copy process is already in progress, effectively bypassing the symlink check.”
Therefore, an attacker can use the method to copy, move, or even delete various files and directories in the path “/var/mobile/Library/Mobile Documents/” to access iCloud backup data related to both the first and second apps. from other manufacturers and highlight them.
What is significant about this loophole is that it completely undermines the structure of the TCC and does not cause any hints to the user. However, the type of data that can be accessed depends on which system process is performing the operation on the file.
“The severity of these vulnerabilities depends on the privileges of the target process,” Jamf said. “This exposes a gap in the enforcement of access controls for certain types of data, as not all data can be retrieved without warning due to this race.”
“For example, data in folders protected by randomly assigned UUIDs and data accessed through certain APIs remain unaffected by this type of attack.”
The development comes as Apple released software-wide updates to address several issues, including four flaws in WebKit that could lead to memory corruption or process crash, and a logic vulnerability in Audio (CVE-2024-54529) that could allow an app to execute arbitrary code kernels.
The iPhone maker also fixed a bug in Safari (CVE-2024-44246) that could allow a website to guess the source IP address when adding it to a reading list on a device with Private Relay enabled. Apple said it fixed the issue with “improved routing of requests originating from Safari.”