Apple developer and 9to5Mac writer Guilherme Rambo on Tuesday shared details of three now-patched security bugs he discovered in macOS that, if successfully exploited, could give unauthorized apps access to a user’s location and Safari browsing history.
Rambo is the same developer who discovered SiriSpy, an iOS bug that allowed apps to eavesdrop on users’ conversations with Siri, last year.
The first two bugs, tracked as CVE-2023-23506 and CVE-2023-28192, had to do with TimeZoneService.xpc within macOS. TimeZoneService handles the “Set timezone automatically using your current location” option (among others), giving it access to the device’s location.
Rambo was able to successfully exploit these vulnerabilities using a symlink trick. These bugs risked giving threat actors and unauthorized apps access to the user’s location without them ever knowing.
CVE-2023-23506 and CVE-2023-28192 were initially reported to Apple on November 1, 2022, per Rambo. Apple released a fix for CVE-2023-23506 with macOS 13.2 on January 23, 2023, while CVE-2023-28192 was patched with macOS 13.3, which started rolling out last week.
The third bug, meanwhile, could be exploited to access Safari’s browsing history database. According to Rambo, Safari creates and maintains a browsing history database that can contain “very sensitive data about a user’s browsing habits, including search queries, sensitive private URLs, and URLs to file sharing services containing confidential information that’s secured by the obscurity of the URL itself.”
Tracked as CVE-2023-23510, this vulnerability was present in both the public Safari build and Safari Technology Preview. Rambo reported CVE-2023-23510 to Apple on November 7, 2022, and the vulnerability was patched in macOS 13.2.
Apple awarded a Bug Bounty of $23,500 USD to Rambo for CVE-2023-23506 and CVE-2023-28192, and $12,000 for CVE-2023-23510. That’s more than the $7,000 he was paid for discovering and reporting SiriSpy, which could have potentially been even more insidious, last year.
