Microsoft reveals 'powerdir' macOS vulnerability that allows unauthorized user data access

Microsoft has revealed details of a security vulnerability in macOS that could be exploited to gain unathorized access to user data.

The vulnerability, which has been named 'powerdir' and is being tracked as CVE-2021-30970, involves a logic issue in the Transparency, Consent and Control (TCC) security framework. The security and privacy problem was discovered by the Microsoft 365 Defender Research Team and was reported to Apple is mid-July last year.

See also:

• Microsoft Edge for Windows 11 is getting Dynamic Refresh Rate to boost performance and reduce power consumption
• Microsoft acknowledges that the KB5008212 update breaks Outlook search in Windows 10
• Microsoft releases emergency KB5010196 and KB5010215 updates to fix serious remote desktop problems in Windows Server

Details of the powerdir vulnerability are now being shared as Apple took steps to address the flaw. Back in December, the release of macOS 11.6 and macOS 12.1 patched an issue with the security framework that gives users control over apps' privacy settings.

Introducing the vulnerability in a blog post, the Microsoft 365 Defender Research Team explains: "Introduced by Apple in 2012 on macOS Mountain Lion, TCC is essentially designed to help users configure the privacy settings of their apps, such as access to the device's camera, microphone, or location, as well as access to the user's calendar or iCloud account, among others. To protect TCC, Apple introduced a feature that prevents unauthorized code execution and enforced a policy that restricts access to TCC to only apps with full disk access".

The post continues:

We discovered that it is possible to programmatically change a target user's home directory and plant a fake TCC database, which stores the consent history of app requests. If exploited on unpatched systems, this vulnerability could allow a malicious actor to potentially orchestrate an attack based on the user's protected personal data. For example, the attacker could hijack an app installed on the device -- or install their own malicious app -- and access the microphone to record private conversations or capture screenshots of sensitive information displayed on the user's screen.

The teams notes that other TCC vulnerabilities were previously reported and subsequently patched before its own discovery. It points out that it that through examining of one of the latest fixes that the powerdir bug was found.

The powerdir vulnerability / CVE-2021-30970 has now been addressed by Apple so it is important to ensure that you have the latest updates installed. You can find out more about the issue in the blog post from the Microsoft 365 Defender Research Team.

Image credit: Alberto Garcia Guillen / Shutterstock