Microsoft has detailed a vulnerability present in macOS that could allow an attacker to bypass its inbuilt technology controls and gain access to protected data of users. Dubbed as “PowerDroid”, the issue affects a system called Transparency, Consent and Control (TCC) that has been available since 2012 to help users configure their app’s privacy settings. This could let attackers hijack existing apps installed on Mac computers or install their own apps and begin accessing hardware, including microphones and cameras, to gain user data.
As explained in a blog post, macOS’s vulnerability could be exploited by bypassing TCC to target sensitive data of users. Apple specifically fixed the bug in the macOS Monterey 12.1 update it released last month. This was also fixed for older hardware through the macOS Big Sur 11.6. However, devices using the older macOS version are still vulnerable.
Apple is using TCC to help users configure privacy settings such as access to a device’s camera, microphone and location, as well as access to services including calendar and iCloud account. technology is available for use through security and privacy in Section system Preferences,
On top of TCC, Apple uses a feature that aims to prevent the system from unauthorized code execution and has implemented a policy that restricts TCC access only to apps with full disk access. Microsoft security researcher Jonathan Barr said in a blog post that an attacker could, however, alter a target user’s home directory and impersonate a fake TCC database to obtain the consent history of app requests.
“If exploited on unpatched systems, this vulnerability could allow a malicious actor to potentially plan an attack based on a user’s protected personal data,” the researcher said.
Microsoft researchers have also developed a proof-of-concept to demonstrate how the vulnerability can be exploited by changing the privacy settings on a particular app.
Apple acknowledged the efforts made by the Microsoft team in its security document. The vulnerability has been detected as CVE-2021-30970.
Get the latest from the Consumer Electronics Show on Gadgets 360 on our CES 2022 hub.