Key Takeaways
- By getting beyond macOS’s TCC protection, HM Surf gives hackers access to a user’s data in Safari.
- Only Apple’s proprietary apps that use TCC technology, such as Safari, are vulnerable.
- Apple’s macOS Sequoia security update has addressed the problem.
A macOS vulnerability that could provide bad actors access to users’ personal information has been discovered by the Microsoft security research team.
With the Pokémon-like moniker “HM Surf,” the vulnerability circumvents macOS’s Transparency, Consent, and Control (TCC) mechanism. The vulnerability disables TCC protection for the Safari browser directory and modifies a configuration file, according to a Microsoft blog post. This gives malevolent actors unapproved access to users’ private information, such as their browser history, camera, microphone, and present location.
The Operation of the HM Surf Vulnerability
Installed applications cannot access users’ personal information without permission, thanks to macOS’s TCC architecture. TCC makes sure that macOS asks the user for consent before allowing any installed application to access their personal information. Safari and other Apple proprietary apps, however, have specific rights that Apple accepts by default, granting them distinct advantages over other installed apps.
HM Surf is able to circumvent TCC protection at the app level and only implement it on a per-origin (website) basis thanks to one of these unique permissions in Safari, com.apple.private.tcc.allow. Safari itself has access to the user’s camera and microphone, but websites viewed through Safari do not.
Additionally, Microsoft has noticed questionable activity related to the AdLoad adware threat for macOS. The business believes the adware may be taking advantage of this weakness.
The flaw has been resolved
Apple fixed the HM Surf vulnerability with the macOS Sequoia security update, which was made available on September 16, 2024. It’s crucial to remember that the patch, including the updated security offered by TCC, is exclusive to Safari. The higher privileges granted to Apple’s proprietary apps are not available to other browsers, such as Google Chrome and Microsoft Edge. These programs are therefore unable to get over TCC security.
Together with other major browser vendors, Microsoft is looking into the benefits of protecting local configuration files.
