analyzed how malware on macOS can bypass Apple’s operating system privacy settings called Transparency, Consent, and Control (TCC) to control apps’ access to sensitive user data. The error called Powerdir den in its December 13 update for macOS through Monterey, allows an attacker to bypass TCC and gain access to a user’s protected data.
According to Microsoft’s 365 Defender Research Team, Apple has introduced a TCC protection feature that “prevents execution of unauthorized code and enforces a policy that limits access to TCC to applications with full disk access.” However, Microsoft employee Jonathan Bar Or discovered that it is “possible to change a target user’s home directory and set up a fake TCC database storing consent history of app requests.”
“If this vulnerability is exploited on unpatched systems, a malicious actor could launch an attack based on the user’s protected personal information,” Microsoft said.
An attacker could hijack an already installed app or install their own malicious app to access the microphone and record private conversations or take screenshots of sensitive information displayed on the user’s screen. The bug’s name, Powerdir, was derived from its ability to enable camera and microphone access for virtually any app.