“$ sudo ls ~/Desktop: Operation not permitted”. Apple’s Transparency, Consent, and Control (TCC) framework limits access to private information like documents, a camera, a microphone, emails, and more in order to preserve your privacy. Since authorisation is required to grant such access, the mechanism key design priority was clear user consent.
At Black Hat USA 2021, I co-presented considerable research on abusing the TCC mechanisms, however, this time, we won’t be directly exploiting the TCC. Given that iCloud has tons of macOS users’ secrets, why keep attacking the TCC? The default configuration makes Mac synchronize a lot of data. Don’t you have your iMessages/Photos/Calendars/Reminders/Notes accessible from iCloud? That’s good because you take care of your privacy… but most users don’t. :)
The brand-new research on abusing Apple’s iCloud to gain access to users’ sensitive data will be shared during the presentation. All that from a malicious applications’ perspective without any additional permissions.
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
What happens on your Mac, stays on Apple’s iCloud?!
1. What happens on your Mac,
stays on Apple's iCloud?!
Bypassing Mac privacy mechanisms
2. Whoami?
Wojciech Reguła
Head of Mobile Security at
• Focused on iOS/macOS #appsec
• Blogger – https://wojciechregula.blog
• iOS Security Suite Creator
• macOS environments security
4. Agenda
1. Introduction to macOS privacy mechanisms
2. macOS entitlements and how to attack them
3. Accessing user’s iCloud account tokens via GarageBand
4. Accessing user’s iCloud account tokens via iMovie
5. Demos & further exploitation
6. Conclusion
5. Results of this research for now
During this talk we will get unauthorized access to user’s
• Location
• Contacts
• Calendar
• Reminders
6. Introduction to macOS Security Mechanisms
System Integrity Protection (SIP)
• Based on Sandbox kernel extension
• Restricts access to many directories on macOS
• Denies debugger attachments to processes signed directly by Apple
• Also known as rootless, because even root cannot do the above-
mentioned operations when the SIP is turned on
18. macOS Entitlements System – DYLIB injection flaw
A N A P P W I T H
P R I V AT E
E N T I T L E M E N T S
A N AT TA C K E R
L O A D S
S O M E H O W A
M A L I C I O U S
D Y N A M I C
L I B R A R Y
A M F I A N D
O T H E R
C O M P O N E N T S
V E R I F Y I N G
E N T I T L E M E N T S
A R E H A P P Y
👍🏻
19. Our target - com.apple.iCloudHelper.xpc
• Uses C XPC API for inter-process communication
• Will provide us iCloud auth tokens when nicely asked 😊
29. Attacking GarageBand
G A R A G E B A N D
W I T H P R I V AT E
I C L O U D
E N T I T L E M E N T
A N D D I S A B L E -
L I B R A R Y -
V A L I D AT I O N
M O D I F I C AT I O N
O F O N E O F T H E
D Y N A M I C
L I B R A R I E S T O
E X E C U T E M Y
C O D E
T H E
I C L O U D H E L P E R
H A P P I LY
A C C E P T S T H E
X P C
C O N N E C T I O N
👍🏻
43. Attacking iMovie
I M O V I E W I T H
P R I V AT E
I C L O U D
E N T I T L E M E N T
A N D W I T H O U T
H A R D E N E D
R U N T I M E
D Y L D _ I N S E R T _
L I B R A R I E S
T H AT I N J E C T S
A D Y N Y M I C
L I B R A R Y W I T H
M Y C O D E
T H E
I C L O U D H E L P E R
H A P P I LY
A C C E P T S T H E
X P C
C O N N E C T I O N
👍🏻