A bypass flaw in the FileProvider Transparency, Consent and Control (TCC) subsystem within Apple’s iOS operating system could leave users’ data dangerously exposed, according to researchers at Jamf Threat Labs.
Assigned CVE-2024-44131, the issue was successfully patched by Apple in September 2024 and Jamf, whose researchers are credited with its discovery, is formally disclosing it today. It also affects macOS devices, although Jamf’s researchers have focused on the mobile ecosystem since these estates are more often neglected during updates.
CVE-2024-44131 is of particular interest to threat actors because if successfully exploited, it can enable them to access sensitive information held on the target device, including contacts, location data and photos.
TCC is a “critical security framework”, the Jamf team explained, which prompts users to grant or deny requests from specific applications to access their data, and CVE-2024-44131 enables a threat actor to sidestep it completely – if they can convince their victim to download a malicious app.
“This discovery highlights a broader security concern as attackers focus on data and intellectual property that can be accessed from multiple locations, allowing them to focus on compromising the weakest of the connected systems,” said the team.
“Services like iCloud, which allow data to sync across devices of many form factors, enable attackers to attempt exploits across a variety of entry points as they look to accelerate their access to valuable intellectual property and data.”
How it works
At the core of the problem sits the interaction between the Apple Files.app and the FileProvider system process when managing file operations.
In the exploit demonstrated, when an unwitting user moves or copies files or directories with Files.app within a directory that the malicious app running in the background can access, the attacker gains the ability to manipulate a symbolic link, or symlink – a file that exists solely specify a path to the target file.
Usually, file operation APIs will check for symlinks, but they usually appear at the final portion of the path prior to beginning the operation, so if they appear earlier – which is the case in this exploit chain – the operation will bypass these checks.
In this way, the attacker can use the malicious app to abuse the elevated privileges provided by FileProvider to either move or copy data into a directory they control without being spotted. They can then hide these directories, or upload them to a server they control.
“Crucially,” said the Jamf team, “this entire operation occurs without triggering any TCC prompts.”
The most effective defence against this flaw is to apply the patches from Apple, which have been available for a couple of months. Security teams may also wish to implement additional monitoring of application behaviour and endpoint protection.
Jamf’s strategy vice-president Michael Covington warned that because the updates also included support for Apple Intelligence, a series of artificial intelligence (AI) features for iOS devices, “wariness” around this feature might have led some organisations to hold off applying the updates with the necessary patch, leaving the attack vector open to exploitation.
“This discovery is a wake-up call for organisations to build comprehensive security strategies that address all endpoints,” said the team.
“Mobile devices, as much as desktops, are critical parts of any security framework. Extending security practices to include mobile endpoints is essential in an era where mobile attacks are increasingly sophisticated.”