Researcher Details CVE-2024-44131 – A Critical TCC Bypass in macOS and iOS

CVE-2024-44131

Jamf Threat Labs has identified a vulnerability in Apple’s Transparency, Consent, and Control (TCC) security framework. Designated as CVE-2024-44131, this flaw enables malicious applications to bypass user consent mechanisms and access sensitive data without the user’s knowledge. The vulnerability impacts both macOS and iOS systems and has since been patched in macOS 15 and iOS 18.

Apple’s TCC framework is designed to ensure that applications request user consent before accessing sensitive data such as photos, location, and contacts. However, this vulnerability allows attackers to bypass these safeguards. Jamf explained: “This TCC bypass allows unauthorized access to files and folders, Health data, the microphone or camera, and more without alerting users. This undermines user trust in the security of iOS devices and exposes personal data to risk.”

The flaw leverages a combination of symlink exploits and the elevated privileges of system processes like fileproviderd and Files.app, allowing attackers to discreetly copy sensitive user data to directories under their control.

The exploit allows malicious apps to intercept file operations in the Files.app and redirect sensitive data without triggering TCC prompts. Jamf noted: “This exploitation can happen in the blink of an eye, entirely undetected by the end user.”

The vulnerability affects iOS and macOS, highlighting the risks posed by synchronized data across devices. “Services like iCloud, which allow data to sync across devices of many form factors, enable attackers to attempt exploits across a variety of entry points as they look to accelerate their access to valuable intellectual property and data,” Jamf explained.

Data stored in iCloud, such as backups from apps like WhatsApp, Pages, and GarageBand, is particularly vulnerable due to the absence of unique UUID-based protections. Jamf’s proof of concept demonstrated the ability to exfiltrate WhatsApp backups stored in iCloud.

This vulnerability poses a serious threat to user privacy and organizational data security, especially in mobile-first environments. The implications include:

  • Personal Data Exposure: Photos, contacts, and health data can be accessed and manipulated.
  • Corporate Risk: Organizations relying on mobile devices as endpoints must treat them with the same security rigor as desktops.
  • Stealth Attacks: The exploitation leaves no trace, making it challenging to detect or mitigate post-compromise.

Apple has addressed CVE-2024-44131 in iOS 18 and macOS 15. Users are urged to update their devices immediately to mitigate the risks. Additionally, organizations should consider deploying proactive security solutions to monitor and block suspicious application behaviors.

As Jamf emphasized: “While Apple’s OS updates address specific vulnerabilities, having proactive endpoint protection can detect and block unexpected behaviors or abnormal requests.”

Related Posts: