Security News > 2022 > January > MacOS Bug Could Let Creeps Snoop On You
Microsoft on Monday released details about a bug in macOS that Apple fixed last month - named "Powerdir" - that could let attackers hijack apps, install their own nasty apps, use the microphone to eavesdrop or grab screenshots of whatever's displayed on your screen.
Introduced in 2012 in macOS Mountain Lion, TCC helps users to configure their apps' privacy settings by requiring that all apps get user consent before accessing files in Documents, Downloads, Desktop, iCloud Drive, calendar and network volumes, as well as before the apps are allowed to access the device's camera, microphone or location.
The Bug Trips Up TCC. TCC stores the consent history of app requests.
If an attacker gets full disk access to the TCC databases, Microsoft explained that the world's then their app oyster: "They could edit it to grant arbitrary permissions to any app they choose, including their own malicious app. The affected user would also not be prompted to allow or deny the said permissions, thus allowing the app to run with configurations they may not have known or consented to."
Since the user could manipulate the $HOME environment variable, an attacker could plant a chosen TCC.db file in an arbitrary path, poison the $HOME environment variable, and make TCC.db consume that file instead. Bundle conclusion issue: First disclosed by Jamf in a blog post about the XCSSET malware family, this bug abused how macOS was deducing app bundle information.
Apple has responded to those vulnerabilities with two changes: It protected the system-wide TCC.db via System Integrity Protection, a macOS feature that prevents unauthorized code execution, and it enforced a TCC policy that only apps with full disk access can access the TCC.db files.