A new report out today from Apple enterprise management firm Jamf Holding Corp. details a now-patched vulnerability in iOS and macOS that allowed malicious applications to bypass the transparency, consent and control or TCC security framework.

Tracked as CVE-2024-44131, the vulnerability allowed unauthorized access to sensitive user data, such as photos, GPS locations and contacts, without user consent or notification.

Discovered by Jamf Threat Labs, the vulnerability exploited a flaw in Apple’s TCC framework, a framework designed to notify users when an application attempts to access sensitive information like photos, contacts, or location data. By bypassing TCC controls, a malicious app could gain access to data without alerting the user, putting personal and organizational security at risk.

At the core of the vulnerability was a symlink attack where the Files.app and fileproviderd processes could be manipulated to redirect file operations. A symlink attack exploits symbolic links to manipulate file operations, redirecting processes to unauthorized locations and bypassing access controls.

An attacker looking to exploit the vulnerability could do so by inserting symlinks at specific stages of file movements or copies, allowing them to deceive the system into granting unauthorized access. Doing so allowed sensitive files stored in iCloud, such as backups and synced documents, to be accessed or exfiltrated stealthily.

The researchers at Jamf found that a key factor in the vulnerability was the lack of UUID-based protection for certain iCloud directories; UUID-based protection secures data by assigning unique, device-specific identifiers to directories, preventing unauthorized access through predictable paths.

While most apps and services protect their data with unique identifiers that vary across devices, some iCloud data paths remain constant, opening an attack vector. The consistency allowed attackers to predict directory structures and bypass security barriers to target files like WhatsApp backups and Apple Pages documents.

The ability to exploit the vulnerability was further enhanced by elevated privileges in Apple’s system processes. Processes, such as fileproviderd, granted special entitlements to securely handle file operations. The vulnerability allowed malicious apps to hijack these privileges to redirect data to attacker-controlled directories or even upload it to remote servers without detection.

Being good guys, the Jamf researchers contacted Apple well ahead of going public with the details, with Apple addressing the vulnerability in both iOS 18 and macOS 15. The security patch reinforced symlink checks and strengthens the TCC framework to prevent unauthorized file operations.

“This discovery is a wake-up call for organizations to build comprehensive security strategies that address all endpoints,” the Jamf researchers conclude. “Mobile devices, as much as desktops, are critical parts of any security framework. Extending security practices to include mobile endpoints is essential in an era where mobile attacks are increasingly sophisticated.”

Image: SiliconANGLE/Ideogram