Apple was forced to fix an iOS and macOS security hole that could have leaked your private data
- Security researchers have found a way to exfiltrate sensitive data through FileProvider
- The bug abuses the framework’s elevated privileges
- Apple patch address issue with improved symbolic link validation
Apple has patched a hole in iOS and macOS that could have been exploited to steal sensitive data from victims.
Cybersecurity researchers at Jamf Threat Labs recently discovered and reported a vulnerability in FileProvider, a framework in macOS and iOS that allows apps to manage and access files stored on remote servers or locally.
The vulnerability, which is tracked as CVE-2024-44131 and has a severity rating of 5.3, stems from the framework’s elevated privileges, which can be exploited to move files and even upload them to a remote server under control of the attackers.
Manipulate symlinks
The vulnerability bypasses Apple’s Transparency, Consent, and Control (TCC) framework, which is often described as a “critical security mechanism” for Apple devices.
“This TCC bypass allows unauthorized access to files and folders, health data, the microphone or camera and more without alerting users,” Jamf said. “This undermines users’ confidence in the security of iOS devices and exposes personal data to risk.”
If a threat actor were able to run a malicious app on an Apple device, he could theoretically intercept the user’s action moving or copying files within the FIles app and send them to a place under his control.
“If a user uses Files.app to move or copy files or folders within a folder that is accessible by a malicious app running in the background, the attacker can manipulate symbolic links to trick the Files app,” Jamf added . “The new symlink attack method first copies an innocent file and provides a detectable signal to a malicious process that the copy has started. It then inserts a symlink after the copy process is already in progress, effectively bypassing the symlink check.”
Apple fixed the bug in iOS 18, iPadOS 18, and macOS Sequoia 15, with improved symbolic link validation, and advised users to apply the patch as soon as possible.
Via The hacker news