Apple forced to patch iOS and macOS security flaw that could have leaked your private info

Security researchers found a way to exfiltrate sensitive data through FileProvider
The bug abuses the framework’s elevated privileges
Apple patch address issue with improved validation of symbolic links

Apple has patched a hole in iOS and macOS which could have been abused to steal sensitive data from victims.

Cybersecurity researchers from Jamf Threat Labs recently discovered, and reported, a vulnerability in FileProvider, a framework in macOS and iOS that enables apps to manage and access files stored on remote servers or locally.

Tracked as CVE-2024-44131, and carrying a severity score of 5.3, the vulnerability stems from the framework’s elevated privileges, which can be abused to move files, and even upload them to a remote server under the attackers’ control.

Manipulating symlinks

The vulnerability bypasses Apple’s Transparency, Consent, and Control (TCC) framework, often described as a “critical security protection” mechanism for Apple devices.

“This TCC bypass allows unauthorized access to files and folders, Health data, the microphone or camera, and more without alerting users,” Jamf said. “This undermines user trust in the security of iOS devices and exposes personal data to risk.”

In theory, if a threat actor could get a malicious app running in an Apple device, it could intercept user action that moves, or copies files within the FIles app, and send them to a place under their control.

“Specifically, when a user moves or copies files or directories using Files.app within a directory accessible by a malicious app running in the background, the attacker can manipulate symlinks to deceive the Files app,” Jamf added. “The new symlink attack method first copies an innocent file, providing a detectable signal to a malicious process that the copying has started. Then, a symlink is inserted after the copying process is already underway, effectively bypassing the symlink check.”

Apple fixed the bug in iOS 18, iPadOS 18, and macOS Sequoia 15, with improved validation of symbolic links (symlinks), and advised users to apply the patch as soon as possible.

Via The Hacker News

https://cdn.mos.cms.futurecdn.net/3huWQGo432iUGf3Q7FDsrN-1200-80.jpg

Source link

Apple’s WWDC 2025 keynote may be an AI ‘letdown’, but there are 4 Apple Intelligence projects it’s working on that you should be excited...

Anker’s new ultra-tough Bluetooth speaker has safety features for going really off-grid, and a self-cleaning trick borrowed from the Apple Watch

Nvidia and MediaTek’s rumored gaming laptop chip could match the RTX 4070’s performance – and that’d be a potential game-changer for handhelds

Looking for Father’s Day ideas? Bose has a tonne of deals just for you

Ex-Israeli Intelligence Official: Shockwaves of Trump’s “Take Over Gaza” Heard, Felt Across Region

What UK political parties are promising in the 2019 general election

Otto Warmbier’s parents want North Korea to suffer for their son’s death

Could a ‘youthquake’ cause Boris Johnson to lose the general election?

Which Celebrity Styles Americans Copy Most in 2025: New Study

New ‘Westworld’ trailer introduces us to another dystopian tech company

What’s the point of ‘Charlie’s Angels’ without Sam Rockwell dancing?

These striking photos capture the future of human flight

Women hold 17% of Fortune 500 CFO roles—meet the finance chiefs at the top 100

Piper Sandler reiterates overweight rating on The Bancorp stock

BYD Shares Sink as Carmaker Faces Backlash Over EV Price War

Canned soup maker Campbell's beats estimates as eat-at-home trend boosts demand

The YouTuber who has become one of Gen Z’s most beloved celebrities

26 last-minute holiday gifts that are still thoughtful and unique

Practicing gratitude regularly can make you less stressed and sleep better

8 things millennials wish you would just stop getting them for the holidays

Apple forced to patch iOS and macOS security flaw that could have leaked your private info

Women hold 17% of Fortune 500 CFO roles—meet the finance chiefs at the top 100

Apple’s WWDC 2025 keynote may be an AI ‘letdown’, but there are 4 Apple Intelligence projects it’s working on that you should be excited...

Piper Sandler reiterates overweight rating on The Bancorp stock

BYD Shares Sink as Carmaker Faces Backlash Over EV Price War