https://feed.craftedsignal.io/tags/privacy/Trending threats, MITRE ATT&CK coverage, and detection metadata. Fed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioFri, 26 Jan 2024 18:10:00 +0000https://feed.craftedsignal.io/briefs/2024-01-macos-sandbox-leak/Fri, 26 Jan 2024 18:10:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-macos-sandbox-leak/A vulnerability in macOS Mojave allows sandboxed applications to bypass sandbox restrictions and surreptitiously monitor user activities by registering for distributed notifications by name, circumventing intended privacy protections.A vulnerability exists in macOS Mojave that allows sandboxed applications to bypass intended restrictions on distributed notifications. Apple’s macOS sandbox aims to prevent malicious applications from spying on users. However, a flaw exists where sandboxed applications can register to receive distributed notifications by name, such as “com.apple.DownloadFileFinished”, effectively circumventing the intended restrictions. This vulnerability, disclosed in November 2018, allows a sandboxed application to monitor user activities, such as file downloads, which would normally be prohibited. This affects fully patched macOS Mojave systems and likely other versions of macOS.

Attack Chain

1. A malicious application is created and sandboxed on macOS.
2. The application registers to receive specific distributed notifications by name (e.g., com.apple.DownloadFileFinished) using CFNotificationCenterAddObserver or NSDistributedNotificationCenter.
3. The sandboxed application monitors system events by receiving distributed notifications.
4. The application captures user activities, such as file downloads, screen lock/unlock events, screen saver start/stop, and bluetooth activity.
5. Collected information is stored within the application’s sandbox.
6. The application may then exfiltrate the collected data.
7. The attacker gains unauthorized access to user activity data, violating user privacy.

Impact

Successful exploitation of this vulnerability allows sandboxed applications to bypass intended privacy protections and monitor user activities, such as file downloads and system events. This can lead to unauthorized access to sensitive information and a violation of user privacy. While the exact number of victims is unknown, this vulnerability affects any user running a vulnerable version of macOS with a sandboxed application exploiting this flaw.

Recommendation

• Monitor process creations for sandboxed applications using CFNotificationCenterAddObserver or NSDistributedNotificationCenter registering for distributed notifications by name (e.g., com.apple.DownloadFileFinished). Deploy the Sigma rule Detect Sandboxed Application Registering for Distributed Notifications by Name to your SIEM.
• Investigate any sandboxed applications that are observed to be receiving distributed notifications using the event names listed in the overview.
• Consider monitoring network connections made by sandboxed applications to detect potential data exfiltration attempts after gathering notification data.

]]>mediumadvisorysandbox-escapeprivacymacoshttps://feed.craftedsignal.io/briefs/2024-01-quicklook-cache-leak/Wed, 03 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-quicklook-cache-leak/macOS QuickLook caches thumbnails and file paths of files, even those stored within encrypted containers or on removable USB devices, potentially revealing sensitive data to attackers with access to the running system.The macOS QuickLook feature, designed for quickly previewing file contents, caches thumbnails and file paths of files, including those stored within encrypted containers (e.g., VeraCrypt, macOS Encrypted HFS+/APFS drives) and removable USB devices. This cached information is stored in the clear within the user’s temporary directory ($TMPDIR/../C/com.apple.QuickLook.thumbnailcache/) and persists across reboots. This behavior, while known in forensics circles, is not widely understood by Mac users and can lead to unintended data leakage. The file paths, names, and thumbnail previews are accessible to any code running in the context of the user, even after the encrypted container is unmounted or the USB device is removed.

Attack Chain

1. User mounts an encrypted container (e.g., VeraCrypt, APFS) or inserts a USB drive into a macOS system.
2. User views a directory containing files within the mounted container or USB drive using Finder, or previews a file using the space bar, triggering QuickLook.
3. QuickLook generates thumbnails and caches file paths and names in the $TMPDIR/../C/com.apple.QuickLook.thumbnailcache/ directory.
4. The index.sqlite file stores the file paths and names, while thumbnails.data stores the thumbnail images.
5. User unmounts the encrypted container or removes the USB drive.
6. The cached thumbnails and file paths remain in the $TMPDIR/../C/com.apple.QuickLook.thumbnailcache/ directory.
7. An attacker gains access to the user’s macOS system.
8. The attacker extracts the cached thumbnails and file paths from the QuickLook cache directory, potentially revealing sensitive information about the contents of the encrypted container or USB drive.

Impact

Successful exploitation allows an attacker with access to a macOS system to recover thumbnails and file paths of files that were stored in encrypted containers or on removable USB devices. This can lead to the disclosure of sensitive information, even if the encrypted containers are unmounted or the USB drives are removed. The impact is significant for users who rely on encryption to protect sensitive data, as the QuickLook cache undermines the security provided by encrypted containers. The size of the thumbnails, even the smaller automatically generated ones, may be sufficient to discern the content of the files.

Recommendation

• Regularly clear the QuickLook cache, particularly after unmounting encrypted containers. Since qlmanage -r doesn’t reliably clear the cache, consider deleting the entire com.apple.QuickLook.thumbnailcache directory.
• Implement endpoint detection rules to detect unauthorized access or modification of the QuickLook cache directory ($TMPDIR/../C/com.apple.QuickLook.thumbnailcache/) using the “Detect Suspicious QuickLook Cache Access” Sigma rule.
• Monitor process execution for attempts to access or manipulate the QuickLook cache files (index.sqlite, thumbnails.data) using the “Detect QuickLook Cache File Access” Sigma rule.

]]>mediumadvisoryquicklookcachemacosthumbnailprivacyhttps://feed.craftedsignal.io/briefs/2024-01-signal-notification-leak/Tue, 02 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-signal-notification-leak/macOS stores Signal message notifications in an unencrypted SQLite database, potentially exposing 'disappearing' messages even after they are deleted from the Signal application.A vulnerability exists in the macOS implementation of the Signal messaging application, where ‘disappearing’ messages may persist in the macOS Notification Center database even after being deleted from the Signal application’s user interface. This occurs because Signal posts message content to the Notification Center as a banner notification when the app is not in the foreground. While the OS automatically dismisses these banners, the underlying notification data, including message content, remains stored in an unencrypted SQLite database. This issue affects users of Signal on macOS who rely on the disappearing message feature for privacy. The vulnerability was publicly disclosed in May 2018 by Objective-See.

Attack Chain

1. A user receives a message in the Signal application on macOS.
2. If the Signal application is not in the foreground, the message content is displayed as a banner notification via the macOS Notification Center.
3. The macOS operating system automatically dismisses the banner notification after a few seconds.
4. The notification data, including the message content, is stored in an SQLite database located at /private/var/folders/l8/.../com.apple.notificationcenter/db2/db.
5. The user deletes the message from within the Signal application, triggering its removal from the application’s UI.
6. The Signal application does not explicitly remove the corresponding notification from the macOS Notification Center database.
7. An attacker with local access to the macOS system can access the unencrypted SQLite database.
8. The attacker can extract and read the contents of the ‘disappearing’ messages from the database, bypassing Signal’s intended privacy feature.

Impact

Successful exploitation of this vulnerability allows an attacker with local access to a macOS system to recover and read ‘disappearing’ messages from the Signal application, even after they have been deleted within the application. This compromises the confidentiality of sensitive communications intended to be ephemeral, potentially impacting a large number of Signal users on macOS.

Recommendation

• Enable Sysmon process-creation logging to monitor processes accessing the SQLite database /private/var/folders/l8/.../com.apple.notificationcenter/db2/db using the provided Sigma rule.
• Disable notifications within the Signal application to prevent message content from being stored in the Notification Center database.
• Consider implementing disk encryption to protect the entire file system, including the Notification Center database.

]]>mediumadvisorymacossignalnotificationprivacycredential-access