New Video from @BlackHatOfficialYT Explores macOS Location Service Vulnerabilities

In this new video from BlackHatOfficialYT, Vochua, the head of mobile security at Securing and author of the course "Certified iOS Application Security Engineer," explores vulnerabilities in macOS location services. The video focuses on how applications can access users' locations without their consent by exploiting flaws in the TCC (Transparency, Consent, and Control) privacy framework and macOS location services.

Vochua begins by reviewing the basics of TCC, a privacy framework that protects user data by requiring explicit consent to access certain sensitive resources. He explains that TCC stores permissions in SQLite3 databases, with a global database and a per-user database. However, location services use a different daemon, locationd, which stores permissions in an XML file called clients.plist.

The video then details various methods by which applications can bypass location protections. Vochua shows how non-sandboxed applications can easily modify execution paths and bundle identifiers to impersonate other applications. He also demonstrates that code signing requirements, although theoretically secure, can be bypassed through downgrade attacks, where an older version of an application is used to inject malicious code.

Vochua presents several specific vulnerabilities he discovered that have been fixed by Apple. For example, the macOS Weather app disclosed the user's location in crash logs. Another vulnerability allowed adding trusted TLS certificates without triggering a consent prompt, enabling the capture of the user's location via apps like Find My.

The video also covers browser instrumentation techniques to execute JavaScript code and obtain the user's location. Vochua shows how this method works with Google Chrome and Safari, using legitimate browser features to execute malicious code. He demonstrates a specific vulnerability in Safari that allowed executing JavaScript code via web archives, bypassing location protections.

In conclusion, Vochua emphasizes the importance of detecting code injections and browser instrumentation techniques to secure macOS systems. He also mentions his course on iOS application security, offering a discount for the BlackHat community.

To learn more, watch the full video at the following address: https://www.youtube.com/watch?v=vNVYDr-rxyQ