This serious macOS vulnerability could allow attackers to access all your private data

MacBook
(Image credit: Farknot Architect / Shutterstock)

Following its discovery of the Shrootless vulnerability back in October 2021, Microsoft has uncovered a new macOS vulnerability that it says could be exploited to gain unauthorized access to a user's data.

Tracked as CVE-2021-30970, the new “powerdir” flaw found by the Microsoft 365 Defender Research Team could allow an attacker to bypass the Transparency, Consent and Control (TCC) technology in Apple's desktop operation system, the company wrote in a blog post.

First introduced back in 2012 on macOS Mountain Lion, TCC was created to help Mac users configure the privacy settings of their apps such as which ones have access to a device's camera, microphone or location in addition to a user's calendar or iCloud account.

To protect TCC, Apple introduced a feature that prevented unauthorized code execution and enforced a policy that restricts access to TCC only to apps with full disk access. There are actually two kinds of TCC databases under the hood in macOS and the user-specific database stores permissions types that only apply to a specific user profile while the system-wide database contains stored permission types that apply on a system level and can be accessed by users with root or full disk access.

Powerdir vulnerability

During its investigation into the matter, the Microsoft 365 Defender Research Team discovered that it was possible to programmatically change a target user's home directory and plant a fake TCC database capable of storing the consent history of app requests.

If the powerdir vulnerability is exploited on unpatched systems, it could allow a malicious actor to potentially orchestrate an attack based on a user's protected personal data. For instance, an attacker could hijack an app installed on a device or even install their own malicious app and access the microphone on a MacBook to record private conversations or capture screenshots of sensitive information displayed on a user's screen.

This isn't the first TCC vulnerability that has been discovered and subsequently patched. However, it was by examining one of the latest fixes that Microsoft came across powerdir. The company's research team even had to update its proof-of-concept (POC) exploit because the initial version no longer worked on the latest version of macOS (Monterey).

After discovering the powerdir vulnerability, Microsoft shared its findings with Apple through Coordinated Vulnerability Disclosure (CVD) and Apple released a fix as part of a series of security updates released in December of last year. To prevent falling victim to any potential attacks, macOS users should download and apply the latest security updates as soon as possible.

TOPICS
Anthony Spadafora

After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home. 

Read more
Security
Microsoft reveals more on a potentially major Apple macOS security flaw
A person at a laptop with a cybersecure lock symbol floating above it.
Parallels Desktop has some worrying security flaws for Mac users
Ransomware
Microsoft spies a new and worrying macOS malware strain
The best free firewall
Microsoft fixes Power Pages security flaw, tells users to be on their guard
Ransomware
Microsoft uncovers sleuthy new XCSSET MacOS malware campaign
An abstract image of a lock against a digital background, denoting cybersecurity.
Apple CPU security issue could let hackers steal user data from browsers
Latest in Security
Isometric demonstrating multi-factor authentication using a mobile device.
NCSC gets influencers to sing the praises of 2FA
Sam Altman and OpenAI
OpenAI is upping its bug bounty rewards as security worries rise
A stylized depiction of a padlocked WiFi symbol sitting in the centre of an interlocking vault.
Dangerous new CoffeeLoader malware executes on your GPU to get past security tools
China
Notorious Chinese hackers FamousSparrow allegedly target US financial firms
A digital representation of a lock
NYU website defaced as hacker leaks info on a million students
NHS
NHS IT supplier hit with major fine following ransomware attack
Latest in News
Nintendo Switch 2 Joy-Con up-close from app store
Nintendo's new app gave us another look at the Switch 2, and there's something different with the Joy-Con
cheap Nintendo Switch game deals sales
Nintendo didn't anticipate that Mario Kart 8 Deluxe was 'going to be the juggernaut' for the Nintendo Switch when it was ported to the console, according to former employees
Three angles of the Apple MacBook Air 15-inch M4 laptop above a desk
Apple MacBook Air 15-inch (M4) review roundup – should you buy Apple's new lightweight laptop?
Witchbrook
Witchbrook, the life-sim I've been waiting years for, finally has a release window and it's sooner than you think
Amazon Echo Smart Speaker
Amazon is experimenting with renaming Echo speakers to Alexa speakers, and it's about time
Shigeru Miyamoto presents Nintendo Today app
Nintendo Today smartphone app is out now on iOS and Android devices – and here's what it does