{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/privacy/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["macOS"],"_cs_severities":["medium"],"_cs_tags":["sandbox-escape","privacy","macos"],"_cs_type":"advisory","_cs_vendors":["Apple"],"content_html":"\u003cp\u003eA vulnerability exists in macOS Mojave that allows sandboxed applications to bypass intended restrictions on distributed notifications. Apple\u0026rsquo;s macOS sandbox aims to prevent malicious applications from spying on users. However, a flaw exists where sandboxed applications can register to receive distributed notifications by name, such as \u0026ldquo;com.apple.DownloadFileFinished\u0026rdquo;, effectively circumventing the intended restrictions. This vulnerability, disclosed in November 2018, allows a sandboxed application to monitor user activities, such as file downloads, which would normally be prohibited. This affects fully patched macOS Mojave systems and likely other versions of macOS.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA malicious application is created and sandboxed on macOS.\u003c/li\u003e\n\u003cli\u003eThe application registers to receive specific distributed notifications by name (e.g., \u003ccode\u003ecom.apple.DownloadFileFinished\u003c/code\u003e) using \u003ccode\u003eCFNotificationCenterAddObserver\u003c/code\u003e or \u003ccode\u003eNSDistributedNotificationCenter\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe sandboxed application monitors system events by receiving distributed notifications.\u003c/li\u003e\n\u003cli\u003eThe application captures user activities, such as file downloads, screen lock/unlock events, screen saver start/stop, and bluetooth activity.\u003c/li\u003e\n\u003cli\u003eCollected information is stored within the application\u0026rsquo;s sandbox.\u003c/li\u003e\n\u003cli\u003eThe application may then exfiltrate the collected data.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access to user activity data, violating user privacy.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows sandboxed applications to bypass intended privacy protections and monitor user activities, such as file downloads and system events. This can lead to unauthorized access to sensitive information and a violation of user privacy. While the exact number of victims is unknown, this vulnerability affects any user running a vulnerable version of macOS with a sandboxed application exploiting this flaw.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor process creations for sandboxed applications using \u003ccode\u003eCFNotificationCenterAddObserver\u003c/code\u003e or \u003ccode\u003eNSDistributedNotificationCenter\u003c/code\u003e registering for distributed notifications by name (e.g., \u003ccode\u003ecom.apple.DownloadFileFinished\u003c/code\u003e). Deploy the Sigma rule \u003ccode\u003eDetect Sandboxed Application Registering for Distributed Notifications by Name\u003c/code\u003e to your SIEM.\u003c/li\u003e\n\u003cli\u003eInvestigate any sandboxed applications that are observed to be receiving distributed notifications using the event names listed in the overview.\u003c/li\u003e\n\u003cli\u003eConsider monitoring network connections made by sandboxed applications to detect potential data exfiltration attempts after gathering notification data.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-26T18:10:00Z","date_published":"2024-01-26T18:10:00Z","id":"/briefs/2024-01-macos-sandbox-leak/","summary":"A vulnerability in macOS Mojave allows sandboxed applications to bypass sandbox restrictions and surreptitiously monitor user activities by registering for distributed notifications by name, circumventing intended privacy protections.","title":"macOS Mojave Sandbox Distributed Notification Bypass","url":"https://feed.craftedsignal.io/briefs/2024-01-macos-sandbox-leak/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["macOS"],"_cs_severities":["medium"],"_cs_tags":["quicklook","cache","macos","thumbnail","privacy"],"_cs_type":"advisory","_cs_vendors":["Apple"],"content_html":"\u003cp\u003eThe macOS QuickLook feature, designed for quickly previewing file contents, caches thumbnails and file paths of files, including those stored within encrypted containers (e.g., VeraCrypt, macOS Encrypted HFS+/APFS drives) and removable USB devices. This cached information is stored in the clear within the user\u0026rsquo;s temporary directory ($TMPDIR/../C/com.apple.QuickLook.thumbnailcache/) and persists across reboots. This behavior, while known in forensics circles, is not widely understood by Mac users and can lead to unintended data leakage. The file paths, names, and thumbnail previews are accessible to any code running in the context of the user, even after the encrypted container is unmounted or the USB device is removed.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eUser mounts an encrypted container (e.g., VeraCrypt, APFS) or inserts a USB drive into a macOS system.\u003c/li\u003e\n\u003cli\u003eUser views a directory containing files within the mounted container or USB drive using Finder, or previews a file using the space bar, triggering QuickLook.\u003c/li\u003e\n\u003cli\u003eQuickLook generates thumbnails and caches file paths and names in the \u003ccode\u003e$TMPDIR/../C/com.apple.QuickLook.thumbnailcache/\u003c/code\u003e directory.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eindex.sqlite\u003c/code\u003e file stores the file paths and names, while \u003ccode\u003ethumbnails.data\u003c/code\u003e stores the thumbnail images.\u003c/li\u003e\n\u003cli\u003eUser unmounts the encrypted container or removes the USB drive.\u003c/li\u003e\n\u003cli\u003eThe cached thumbnails and file paths remain in the \u003ccode\u003e$TMPDIR/../C/com.apple.QuickLook.thumbnailcache/\u003c/code\u003e directory.\u003c/li\u003e\n\u003cli\u003eAn attacker gains access to the user\u0026rsquo;s macOS system.\u003c/li\u003e\n\u003cli\u003eThe attacker extracts the cached thumbnails and file paths from the QuickLook cache directory, potentially revealing sensitive information about the contents of the encrypted container or USB drive.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows an attacker with access to a macOS system to recover thumbnails and file paths of files that were stored in encrypted containers or on removable USB devices. This can lead to the disclosure of sensitive information, even if the encrypted containers are unmounted or the USB drives are removed. The impact is significant for users who rely on encryption to protect sensitive data, as the QuickLook cache undermines the security provided by encrypted containers. The size of the thumbnails, even the smaller automatically generated ones, may be sufficient to discern the content of the files.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eRegularly clear the QuickLook cache, particularly after unmounting encrypted containers. Since \u003ccode\u003eqlmanage -r\u003c/code\u003e doesn\u0026rsquo;t reliably clear the cache, consider deleting the entire \u003ccode\u003ecom.apple.QuickLook.thumbnailcache\u003c/code\u003e directory.\u003c/li\u003e\n\u003cli\u003eImplement endpoint detection rules to detect unauthorized access or modification of the QuickLook cache directory (\u003ccode\u003e$TMPDIR/../C/com.apple.QuickLook.thumbnailcache/\u003c/code\u003e) using the \u0026ldquo;Detect Suspicious QuickLook Cache Access\u0026rdquo; Sigma rule.\u003c/li\u003e\n\u003cli\u003eMonitor process execution for attempts to access or manipulate the QuickLook cache files (\u003ccode\u003eindex.sqlite\u003c/code\u003e, \u003ccode\u003ethumbnails.data\u003c/code\u003e) using the \u0026ldquo;Detect QuickLook Cache File Access\u0026rdquo; Sigma rule.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-quicklook-cache-leak/","summary":"macOS QuickLook caches thumbnails and file paths of files, even those stored within encrypted containers or on removable USB devices, potentially revealing sensitive data to attackers with access to the running system.","title":"macOS QuickLook Thumbnail Cache Leak","url":"https://feed.craftedsignal.io/briefs/2024-01-quicklook-cache-leak/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Signal"],"_cs_severities":["medium"],"_cs_tags":["macos","signal","notification","privacy","credential-access"],"_cs_type":"advisory","_cs_vendors":["Apple","Whisper Systems"],"content_html":"\u003cp\u003eA vulnerability exists in the macOS implementation of the Signal messaging application, where \u0026lsquo;disappearing\u0026rsquo; messages may persist in the macOS Notification Center database even after being deleted from the Signal application\u0026rsquo;s user interface. This occurs because Signal posts message content to the Notification Center as a banner notification when the app is not in the foreground. While the OS automatically dismisses these banners, the underlying notification data, including message content, remains stored in an unencrypted SQLite database. This issue affects users of Signal on macOS who rely on the disappearing message feature for privacy. The vulnerability was publicly disclosed in May 2018 by Objective-See.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA user receives a message in the Signal application on macOS.\u003c/li\u003e\n\u003cli\u003eIf the Signal application is not in the foreground, the message content is displayed as a banner notification via the macOS Notification Center.\u003c/li\u003e\n\u003cli\u003eThe macOS operating system automatically dismisses the banner notification after a few seconds.\u003c/li\u003e\n\u003cli\u003eThe notification data, including the message content, is stored in an SQLite database located at \u003ccode\u003e/private/var/folders/l8/.../com.apple.notificationcenter/db2/db\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe user deletes the message from within the Signal application, triggering its removal from the application\u0026rsquo;s UI.\u003c/li\u003e\n\u003cli\u003eThe Signal application does not explicitly remove the corresponding notification from the macOS Notification Center database.\u003c/li\u003e\n\u003cli\u003eAn attacker with local access to the macOS system can access the unencrypted SQLite database.\u003c/li\u003e\n\u003cli\u003eThe attacker can extract and read the contents of the \u0026lsquo;disappearing\u0026rsquo; messages from the database, bypassing Signal\u0026rsquo;s intended privacy feature.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker with local access to a macOS system to recover and read \u0026lsquo;disappearing\u0026rsquo; messages from the Signal application, even after they have been deleted within the application. This compromises the confidentiality of sensitive communications intended to be ephemeral, potentially impacting a large number of Signal users on macOS.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Sysmon process-creation logging to monitor processes accessing the SQLite database \u003ccode\u003e/private/var/folders/l8/.../com.apple.notificationcenter/db2/db\u003c/code\u003e using the provided Sigma rule.\u003c/li\u003e\n\u003cli\u003eDisable notifications within the Signal application to prevent message content from being stored in the Notification Center database.\u003c/li\u003e\n\u003cli\u003eConsider implementing disk encryption to protect the entire file system, including the Notification Center database.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-signal-notification-leak/","summary":"macOS stores Signal message notifications in an unencrypted SQLite database, potentially exposing 'disappearing' messages even after they are deleted from the Signal application.","title":"Signal 'Disappearing' Messages Persist in macOS Notification Center","url":"https://feed.craftedsignal.io/briefs/2024-01-signal-notification-leak/"}],"language":"en","title":"CraftedSignal Threat Feed — Privacy","version":"https://jsonfeed.org/version/1.1"}