A critical security vulnerability affecting Apple’s iOS and macOS has recently been reported and subsequently patched. This flaw allowed potential exploitation of the Transparency, Consent, and Control (TCC) framework, posing a significant risk of unauthorized access to sensitive user data.
Designated as CVE-2024-44131 with a CVSS score of 5.3, the vulnerability is linked to the FileProvider component of Apple’s operating systems. It has since been addressed through enhanced validation protocols for symbolic links in the latest updates for iOS 18 and iPadOS 18, as well as macOS Sequoia 15.
The issue was first uncovered and reported by Jamf Threat Labs, which indicates that a malicious application installed on the system could leverage this TCC bypass to access sensitive information covertly.
TCC is a pivotal security feature for Apple devices, designed to enable users to grant or deny requests from applications seeking access to private data, such as location services, contacts, and photographs. The vulnerability, however, jeopardizes this framework by allowing undetected access to various data types, including Health information, as well as control over device features like the microphone and camera.
This security lapse enables a rogue application operating in the background to intercept file operations performed by users within the Files app, redirecting them to unauthorized destinations. The exploitation technique hinges on the elevated privileges of fileproviderd, a service responsible for managing file activities relevant to iCloud and third-party cloud solutions.
The malicious entity employs a method of symlink manipulation that misleads the Files app. The technique begins by duplicating a benign file, signaling its presence to the malicious code. Following this, a symlink is inserted during the copy operation, allowing the attacker to bypass the intended checks.
This sophisticated attack vector allows for potential interactions with critical system paths, enabling unauthorized copying, moving, or even deletion of files and directories located in “/var/mobile/Library/Mobile Documents/”. Consequently, attackers could access and exfiltrate iCloud data linked to both first-party and third-party applications.
Importantly, this vulnerability fundamentally undermines the TCC framework’s integrity, executing preventative measures without triggering any user alerts. The type of data vulnerable to extraction depends heavily on the system process executing the operations, emphasizing the varying severity based on the privileges assigned to the targeted processes.
Jamf highlights that the risk from these vulnerabilities is contingent upon the permissions of the processes involved, exposing significant gaps in access control for specific data types. Notably, certain datasets housed within folders defined by randomly assigned UUIDs or those accessed through specific APIs remain impervious to this attack.
The revelation of this vulnerability comes alongside Apple’s recent releases of software updates aimed at resolving multiple security issues, including several flaws in WebKit that could lead to memory corruption and logic vulnerabilities within audio services (CVE-2024-54529) that might enable applications to execute arbitrary code with elevated privileges. Furthermore, a flaw in Safari (CVE-2024-44246) has also been fixed, which previously allowed websites to access the originating IP addresses through the Reading List feature on devices using Private Relay.
