MacOS Safari Exploit Exposes Camera, Mic, Browser Data

A vulnerability in the Safari browser on macOS devices has left users vulnerable to spying, data theft, and malware attacks.

Apple’s special permissions for its proprietary apps, particularly Safari, have allowed attackers to access important app configuration files, bypassing the Transparency, Consent, and Control (TCC) security layer on MacBooks. This vulnerability, identified as CVE-2024-44133, has been classified with a severity rating of 5.5 in the Common Vulnerability Scoring System (CVSS).

Microsoft researchers have named their exploit of this vulnerability “HM Surf,” which could potentially compromise a user’s browsing data, camera, microphone, and device location. There is evidence to suggest that an adware program has already exploited this vulnerability in the wild.

Apple released a fix for CVE-2024-44133 in the macOS Sequoia update on Sept. 16.

Cybersecurity expert Xen Madden emphasizes the importance of updating macOS devices to protect against unauthorized access. Most EDR tools, including Microsoft Defender, are capable of detecting this vulnerability.

Exploiting HM Surf

TCC on Apple devices manages app access to sensitive data and features. However, some apps, including Safari, have special entitlements that allow them to bypass TCC restrictions. Safari’s entitlement, “com.apple.private.tcc.allow,” enables it to access the camera and microphone at an app level, rather than on a per-website basis.

Manipulating Safari’s configuration files in the user’s home directory can lead to TCC bypass. The exploit involves using the DSCL command line utility to modify Safari’s TCC configurations, granting permissions to malicious websites without triggering permission pop-ups.

Was CVE-2024-44133 Already Exploited?

Microsoft discovered activity resembling the HM Surf technique on a device, possibly exploited by the AdLoad adware program. AdLoad not only hijacks browser traffic but also harvests user data and facilitates further malicious payloads.

While the activity closely mirrors HM Surf, it is unclear if AdLoad specifically exploits the vulnerability. However, the similarity underscores the importance of protection against such attacks.

Further comments from Apple and Microsoft on this matter are pending.