Developer Jeff Johnson has discovered A privacy vulnerability in macOS that gives hackers access to files for a Safari user. This problem affects even the beta version of macOS Big Sur, and the developer informed Apple about the vulnerability, but claimed that the company left the bug without processing for more than six months.
The developer described Apple’s efforts as aiming to provide a sense of security while doing nothing to achieve this. Apple’s actions prompted Johnson to abandon the security bonus program, which the company expanded last year to include macOS several years after it did the same to iPhone developers.
The way exploiting the vulnerability appears to be worrying, as a deluded Safari user can download a harmless file from a website, allowing attackers to design a modified version of Safari, which macOS then treats as the original application.
Any restricted file that can be accessed through Safari becomes available to the attacker, who can automate the transmission of files, which should be protected, to the attacker’s server.
As Johnson explains, this exploitation is possible. Because Apple’s Privacy Protection System (TCC) allows exceptions that only look at the application ID, and not where the file is run.
The system superficially verifies that the code signature is applicable only, which means that a modified version of Safari can be run from the wrong directory without turning on protection (TCC).
This problem extends across macOS 10.14 mojave, macOS 10.15 Catalina and macOS 11 Big Sur, putting at risk millions of consumers and businesses at risk, presumably private data.
Regardless of the exploitation, Johnson explained that Apple’s sporadic responses did not instill confidence in the speed or potential for returns in a timely manner from the safety reward program.
After reporting the exploitation in December 2019, Johnson received confirmation that Apple was planning to address the problem, but nothing happened until the end of June 2020.
This period exceeds the applicable limits for detection within 90 days, and this is the second incident, at least, in the developer’s personal experience.
Johnson says: You have the right to know that the system you rely on for protection does not protect you, and despite claims to the contrary, Apple’s closing of macOS is not justified by the alleged privacy and security benefits.
Source : Johnson
