Security Bite: Jamf Reveals TCC Bypass Vulnerability That Allows Silent Access to iCloud Data

9to5Mac Security Bite is brought to you exclusively by Mosyle, Apple’s only unified platform. Everything we do is about ensuring Apple devices are ready to work and secure across the enterprise. Our unique, end-to-end approach to management and security combines Apple’s most advanced security solutions for fully automated hardening and compliance, next-generation EDR, AI-powered Zero Trust, and exclusive privilege management with Apple’s most powerful and advanced MDM on the market. The result is a fully automated, unified platform from Apple that is now trusted by over 45,000 organizations to make millions of Apple devices work effortlessly and affordably. Request an EXTENDED TRIAL today and see why Mosyle is all you need for your Apple experience.

Last week, I received an interesting report from the security research division of popular Apple device management company Jamf, detailing a serious, but now patched, vulnerability in iOS and macOS. The discovery was under embargo, but today I can finally share it.

Jamf Threat Labs has discovered a significant vulnerability in Apple's iOS Transparency, Consent, and Control (TCC) subsystem on iOS and macOS that could allow malicious apps to access sensitive user data completely silently, without triggering any notifications or prompts for user consent.

Some of My Favorite Devices

55-Inch Stand-Up Desk

My current and favorite electric stand-up desk that I've tested. The quality is great and the price is even better.

In the Apple ecosystem, TCC functions as a critical security framework that prompts users to grant, restrict, or deny individual apps’ requests to access sensitive data. You’ll likely encounter these prompts when you first open apps. However, a TCC bypass vulnerability can occur when this control mechanism breaks down, potentially allowing an app to access personal information without the user’s explicit consent or knowledge.

The newly discovered vulnerability, tracked as CVE-2024-44131, affects the Files.app and FileProvider.framework system processes and could expose users’ personal information, including photos, GPS location, contacts, and health data. What’s more, Jamf claims that it could also allow potentially malicious apps to access the user’s microphone and camera. This exploit could happen completely undetected.

How it works

A team of Jamf researchers has discovered a potential bypass involving symbolic links, which are used to handle file operations in iOS. By strategically inserting a symbolic link in the middle of a file copy process, a malicious app can intercept and redirect file moves without triggering a TCC request.

“When a user moves or copies files in Files.app, a background malicious app can intercept these actions and redirect the files to locations under the control of the app,” a Jamf Threat Labs report explains. “By leveraging elevated fileproviderd privileges, a malicious app can intercept file moves or copies without triggering a TCC request. This exploitation can happen in the blink of an eye, completely unnoticed by the end user.”

Some of my favorite devices

M2 MacBook Air

My laptop! Lightweight. Fast. Seemingly invulnerable.

The most troubling aspect of this vulnerability is its potential for stealth data access. Since no TCC requests are triggered, users see no indication that their data is being accessed or moved to an attacker-controlled directory.

Files stored in iCloud are particularly vulnerable, especially in directories like /var/mobile/Library/Mobile Documents/. In addition to any photos or files stored here, this could also include data from apps like WhatsApp, Pages, and other cloud-synced apps.

It's unclear whether this vulnerability has been actively exploited. Jamf says it promptly reported it to Apple, which patched it in the initial release of iOS 18 and macOS 15 back in September.

You can read the full Jamf Threat Lab study here.