Microsoft Researchers Detail macOS Vulnerability That Could Let Attackers Gain User Data

Apple fixed the vulnerability through a macOS release last month.

Advertisement
By Jagmeet Singh | Updated: 13 January 2022 19:13 IST
Highlights
  • macOS vulnerability could allow attackers to bypass TCC tech
  • Apple acknowledged Microsoft efforts while informing users
  • macOS has TCC since 2012 to help users configure privacy settings
Microsoft Researchers Detail macOS Vulnerability That Could Let Attackers Gain User Data

macOS users are recommended to install the latest update on their systems

Photo Credit: Gadgets 360/ Roydon Cerejo

Microsoft has detailed a vulnerability that existed in macOS which could allow an attacker to bypass its inbuilt technology controls and gain access to users' protected data. Dubbed “powerdir,” the issue impacts the system called Transparency, Consent, and Control (TCC) that has been available since 2012 to help users configure privacy settings of their apps. It could let attackers hijack an existing app installed on a Mac computer or install their own app and start accessing hardware including microphone and camera to gain user data.

As detailed on a blog post, the macOS vulnerability could be exploited by bypassing TCC to target users' sensitive data. Apple notably fixed the flaw in the macOS Monterey 12.1 update that was released last month. It was also fixed through the macOS Big Sur 11.6.2 release for older hardware. However, devices that are using an older macOS version are still vulnerable.

Apple is using TCC to help users configure privacy settings such as access to the device's camera, microphone, and location as well as services including calendar and iCloud account. The technology is available for access through the Security & Privacy section in System Preferences.

On top of TCC, Apple uses a feature that is aimed to prevent systems from unauthorised code execution and enforced a policy that restricts access to TCC to only apps with full disk access. An attacker can, though, change a target user's home directory and plant a fake TCC database to gain the consent history of app requests, Microsoft security researcher Jonathan Bar Or said in the blog post.

Advertisement

“If exploited on unpatched systems, this vulnerability could allow a malicious actor to potentially orchestrate an attack based on the user's protected personal data,” the researcher said.

Microsoft's researchers also developed a proof-of-concept to demonstrate how the vulnerability could be exploited by changing the privacy settings on any particular app.

Advertisement

Apple has acknowledged the efforts made by the Microsoft team in its security document. The vulnerability is traced as CVE-2021-30970.


What's most interesting about Apple's new MacBook Pros, M1 Pro and M1 Max silicon, AirPods (3rd Generation), and Apple Music Voice plan? We discuss this on Orbital, the Gadgets 360 podcast. Orbital is available on Spotify, Gaana, JioSaavn, Google Podcasts, Apple Podcasts, Amazon Music and wherever you get your podcasts.
Affiliate links may be automatically generated - see our ethics statement for details.

For the latest tech news and reviews, follow Gadgets 360 on X, Facebook, WhatsApp, Threads and Google News. For the latest videos on gadgets and tech, subscribe to our YouTube channel. If you want to know everything about top influencers, follow our in-house Who'sThat360 on Instagram and YouTube.

Advertisement

Related Stories

Popular Mobile Brands
  1. Nothing Phone 3 Design Teaser Shows Textured Button
  2. iPhone 17 Air Battery Specifications, Weight and Other Details Leaked
  3. CMF Phone 2 Pro Review: A Perfect Blend of Style and Speed
  4. Realme Neo 7 Turbo Display, Battery Details Revealed Ahead of Launch
  5. Samsung May Follow a Dual-Chip Strategy for This Foldable Phone
  6. OpenAI's Viral Ghibli Trend Might Be a Privacy Minefield, Experts Say
  7. Samsung Galaxy Z Fold 7 Specifications Tipped via Alleged Geekbench Listing
  8. Airtel's 10-Day Postpaid International Roaming Pack Now Offers More Data
  1. OpenAI’s Viral Ghibli Trend Might Be a Privacy Minefield, Experts Say
  2. Astronomers Spot Nearly Perfect Supernova Remnant of Unknown Size and Distance
  3. Strange Planet Confirmed in Binary Star System Nu Octantis
  4. Clair Obscur: Expedition 33 Has Fittingly Sold 3.3 Million Copies in 33 Days
  5. Luxembourg Labels Crypto Firms as High-Risk Entities for Money Laundering 
  6. Opera Neon Agentic Browser Unveiled, Uses AI Agents to Plan Trips and Build Websites
  7. Samsung Galaxy Z Fold 7 Spotted on Geekbench Again; Key Specifications Listed
  8. Nothing Phone 3 Design Officially Teased; Appears With Textured Button
  9. Xiaomi Reports Rs. 1.31 Lakh Crore Revenue in Q1 2025, Beats Rs. 1.2 Lakh Crore Mark Again
  10. Samsung Galaxy S26 Series to Use Inkjet Printing to Enable Thinner Lens Modules: Report
Gadgets 360 is available in
Download Our Apps
Available in Hindi
© Copyright Red Pixels Ventures Limited 2025. All rights reserved.