Serious Mac security flaw still unpatched by Apple after 6 months, researcher says

macOS Big Sur beta
(Image credit: Apple/Future)

There's a security flaw in the most recent versions of macOS, including the upcoming Big Sur, but Apple doesn't seem to want to patch it, a researcher charges.

In a blog post yesterday (June 30), Jeff Johnson says he found a way to evade privacy protections on macOS in September 2019, but waited until Apple launched its bug-bounty program in December to report the flaw (thereby increasing the chances Apple would pay him for finding it).

Apple hasn't completely stonewalled Johnson, he admits, but he says the company claims it's "still investigating the issue" after initially planning to fix the bug by the spring of 2020. 

Now that the beta version of macOS 11 Big Sur is out but still apparently contains the flaw, Johnson has gone public.

"Talking to Apple Product Security is like talking to a brick wall," Johnson told The Register. "I suspect that Apple doesn't trust outsiders with any information, but this attitude is counterproductive, because it just alienates the people who report bugs, and turns them away from bug reporting."

Tom's Guide has contacted Apple for comment and will update this story when a reply is received.

Just needs a little TCC

The alleged flaw lies in Apple's Transparency, Consent, and Control (TCC) system, which protects sensitive files from being accessed by any application — a form of sandboxing. TCC was introduced with OS X 10.9 Mavericks in 2013, but got the file-protection features Johnson is concerned about with macOS 10.14 Mojave in 2018.

As an example, Johnson said TCC is meant to block access to Safari's Library folder, which contains browsing history, bookmarks and downloads, from all applications except Finder and Safari itself. Because of TCC, other apps, including malware, shouldn't be able to access those Safari files.

Except that Johnson says TCC doesn't work properly, and malware can indeed access those files. That's because you can create a copy of an existing application (such as Safari), place the copy anywhere else in the Mac file system and then modify the copied app to do dastardly deeds, such as stealing information. 

"Any app that you download from the web could accomplish this privacy protections bypass," Johnson wrote in his blog post.

'Security theater'

TCC fails because it doesn't verify that the applications allowed to access certain files are where they should be in the file system, Johnson said. TCC also doesn't properly check whether an app has been modified because it "only superficially checks the code signature of the app."

"The copy of the app with modified resources will still have the same file access as the original app, in this case, Safari," Johnson says he told Apple. He said he included a proof-of-concept exploit, which you can download now, in his original communication with Apple.

Johnson admits that this is not the worst security flaw in the world, because Macs did fairly well without TCC for many years.

"Prior to Mojave, the privacy protections feature did not exist at all on the Mac, so you're not any worse off now than you were on High Sierra and earlier," he wrote. "My personal opinion is that macOS privacy protections are mainly security theater."

To protect yourself, Johnson recommends what we at Tom's Guide always suggest: Be very wary of what you install on your Mac (or your PC), and pay attention to those pop-up windows that inform you of what's going on with an app as you install it. 

We feel that the biggest weakness in Mac security is its reliance on the end user to make informed decisions without the end user being fully informed. (You could say the same about Android security.) 

To remove some of the guesswork, make sure to install and run one of the best Mac antivirus apps, which will screen out dangerous malware before it even comes to your attention.

  • The best UAE VPN is essential for those living in or visiting Dubai
  • Mac users need the very best Mac VPN
Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.