Photo: Farknot Architect / Shutterstock.com
A critical vulnerability (CVE-2024-44133) within macOS, named ‘HM Surf,’ allows attackers to bypass Apple’s Transparency, Consent, and Control (TCC) Technology. This flaw enables unauthorised access to users’ sensitive data through the Safari browser’s configuration files, potentially exposing personal information that is not known to the user.
TCC is a security feature that prevents apps from accessing personal information such as location, camera, and microphone without explicit user consent. However, researchers found a way to disable this protection specifically for Safari’s data directory.
This flaw allows attackers to manipulate Safari’s configuration, accessing data like browsing history, camera, microphone, and smartphone location. By exploiting this flaw, attackers can stealthily capture snapshots, record audio or video streams, and track the device’s location—activities normally gated behind TCC’s consent prompts.
The flaw circumvents these protections by modifying files such as the ‘PerSitePreferences.db’ and ‘UserMediaPermissions.plist’ within the Safari directory, which govern permissions and user preferences regarding access to sensitive services.
After uncovering the exploit method, researchers promptly reported the issue to Apple through Coordinated Vulnerability Disclosure (CVD) under the Microsoft Security Vulnerability Research (MVSR) program. Apple swiftly addressed the issue in macOS Sequoia, releasing a security patch on September 16, 2024.
Interestingly, while Safari enjoys strong entitlements within the macOS environment, allowing it to bypass certain TCC checks, third-party browsers like Chrome, Firefox, and Edge do not have the same permissions. This gives Safari a more privileged standing and exposes it to specific risks when flaws like HM Surf emerge.
Users are still presented with TCC consent prompts when accessing sensitive services like the camera or microphone when using third-party browsers. However, Safari’s ability to bypass such checks for certain services adds complexity, making this vulnerability particularly dangerous when exploited.
Researchers have advised users to update their macOS devices and remain cautious of abnormal browser behaviours that could indicate an attempt to exploit vulnerabilities like HM surf.
In the News: ChatGPT Windows app is now available for paid users