Security Bite: Jamf uncovers TCC bypass vulnerability allowing stealthy access to iCloud data

Arin Waichulis | Dec 10 2024 - 6:44 am PT

9to5Mac Security Bite is exclusively brought to you by Mosyle, the only Apple Unified Platform. Making Apple devices work-ready and enterprise-safe is all we do. Our unique integrated approach to management and security combines state-of-the-art Apple-specific security solutions for fully automated Hardening & Compliance, Next Generation EDR, AI-powered Zero Trust, and exclusive Privilege Management with the most powerful and modern Apple MDM on the market. The result is a totally automated Apple Unified Platform currently trusted by over 45,000 organizations to make millions of Apple devices work-ready with no effort and at an affordable cost. Request your EXTENDED TRIAL today and understand why Mosyle is everything you need to work with Apple.

Last week, I received an interesting report from the security research arm of the popular Apple device management software firm Jamf that detailed a serious but now-patched iOS and macOS vulnerability. The finding was under embargo, but today, I can finally talk about it.

Jamf Threat Labs uncovered a significant vulnerability in Apple’s iOS Transparency, Consent, and Control (TCC) subsystem on iOS and macOS that could allow malicious apps to access sensitive user data completely unnoticed without triggering any notifications or user consent prompts.

Across Apple’s ecosystem, TCC functions as a hugely important security framework that prompts users to grant, limit, or deny requests from individual apps to access sensitive data. You’ll likely encounter these prompts when opening applications for the first time. However, a TCC bypass vulnerability can happen when this control mechanism fails, potentially enabling the application to access private information without the user’s explicit consent or awareness.

The newly discovered vulnerability, tracked as CVE-2024-44131, impacts the Files.app and FileProvider.framework system processes and can expose users’ private information, including photos, GPS location, contacts, and health data. Moreover, Jamf says it could also allow potentially malicious applications access to a user’s microphone and camera. This exploit can occur completely undetected.

How it works

Jamf’s team of researchers discovered the potential bypass involved symlinks that exploit how file operations are handled within iOS. By strategically inserting a symlink midway through a file copying process, a malicious app can intercept and redirect file movements without triggering a TCC prompt.

“When a user moves or copies files within Files.app, a background malicious app can intercept these actions and redirect files to locations under the app’s control,” the Jamf Threat Labs report explains. “By taking advantage of the elevated privileges of fileproviderd, the malicious app can hijack file movements or copies without triggering a TCC prompt. This exploitation can happen in the blink of an eye, entirely undetected by the end user.”

The most alarming aspect of this vulnerability is its potential for stealthy access to data. Because no TCC prompts are triggered here, users have no indication that their data is being accessed or moved to an attacker-controlled directory.

Particularly vulnerable are iCloud-stored files, especially those in directories like /var/mobile/Library/Mobile Documents/. In addition to any photos or files stored here, this can also include data from apps like WhatsApp, Pages, and other cloud-synced applications.

It’s not known if this vulnerability was actively being exploited. Jamf says it promptly reported it to Apple, which patched it in the initial release of iOS 18 and macOS 15 back in September.

You can see Jamf Threat Lab’s full research here.