macOS HM Surf flaw in TCC allows bypass Safari privacy settings
October 18, 2024
Microsoft disclosed a flaw in the macOS Apple’s Transparency, Consent, and Control (TCC) framework that could allow it to bypass privacy settings and access user data.
Microsoft discovered a vulnerability, tracked as CVE-2024-44133 and code-named ‘HM Surf’, in Apple’s Transparency, Consent, and Control (TCC) framework in macOS.
Apple’s Transparency, Consent, and Control framework in macOS is designed to protect user privacy by managing how apps access sensitive data and system resources. It requires applications to request explicit user permission before they can access certain types of information or system features
Successful exploitation of the flaw could allow attackers to bypass privacy settings and access user data.
The “HM Surf” vulnerability removes TCC protection from Safari, allowing access to user data, including browsing history, camera, microphone, and location without consent.
“The vulnerability, which we refer to as “HM Surf”, involves removing the TCC protection for the Safari browser directory and modifying a configuration file in the said directory to gain access to the user’s data, including browsed pages, the device’s camera, microphone, and location, without the user’s consent.” reads the advisory published by Microsoft.
Apple addressed the vulnerability with the release of macOS Sequoia 15.
At present, the new TCC protections are only used by the Safari browser. Microsoft has also reported the issue to other browser vendors and is assisting them in investigating the benefits of hardening local configuration files.
The Transparency, Consent, and Control (TCC) framework on macOS requires applications to get explicit user consent before accessing sensitive resources like contacts, photos, or location. TCC works with entitlements, which are capabilities that apps need to support specific functions. While developers can use a selection of entitlements, the most powerful ones are reserved for Apple’s own apps and system binaries.
Apple’s Transparency, Consent, and Control (TCC) framework allows apps with the “com.apple.private.tcc.allow” entitlement, like Safari, to bypass TCC checks for specified services.
Apple’s Safari can completely bypass TCC using the “com.apple.private.tcc.allow” entitlement.
Microsoft pointed out that Safari can bypass TCC (Transparency, Consent, and Control) checks, allowing it to access sensitive services like the address book, camera, and microphone without typical access restrictions. The experts also noticed that Safari uses Apple’s Hardened Runtime to prevent arbitrary code execution. Apple’s Hardened Runtime uses strict library-validation, ensuring only libraries signed by the same Team ID are loaded.
Safari also maintains its own TCC policy, showing popups for camera or microphone access and stores configuration in files located in the user’s home directory under ~/Library/Safari.
The HM Surf exploit exploit demonstrated by Microsoft to bypass Safari protections involves the following steps:
- Running Safari to exploit access to the camera, location, and other sensitive data without the user’s consent.
- Changing the user’s home directory using the
dsclutility, which doesn’t need TCC access in macOS Sonoma, temporarily removing TCC protection from the~/Library/Safaridirectory. - Modifying sensitive files like
PerSitePreferences.dbin the original home directory. - Reverting the home directory so Safari uses the altered files.
Microsoft states that third-party browsers aren’t affected since they lack Apple’s private entitlements.
Microsoft experts warn of suspicious activity, likely associated with the exploiting of this vulnerability to deploy macOS adware AdLoad.
“Since we weren’t able to observe the steps taken leading to the activity, we can’t fully determine if the Adload campaign is exploiting the HM surf vulnerability itself. Attackers using a similar method to deploy a prevalent threat raises the importance of having protection against attacks using this technique.” concludes the report.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
Pierluigi Paganini
(SecurityAffairs – hacking, Safari)