article featured image


Microsoft has recently revealed some details about the risk a macOS bug, which has been a short while ago patched, represents. If exploited by hackers, this could result in users’ personal information’s exposure.

About the macOS Bug

The macOS bug under discussion was classified as CVE-2021-30970, the vulnerability describing a logic issue in the TCC security framework (Transparency, Consent, and Control). By means of this framework, users are able to perform privacy settings configuration along with enabling access to app data or protected files.

Following our discovery of the “Shrootless” vulnerability, Microsoft uncovered a new macOS vulnerability, “powerdir,” that could allow an attacker to bypass the operating system’s Transparency, Consent, and Control (TCC) technology, thereby gaining unauthorized access to a user’s protected data. We shared our findings with Apple through Coordinated Vulnerability Disclosure (CVD) via Microsoft Security Vulnerability Research (MSVR). Apple released a fix for this vulnerability, now identified as CVE-2021-30970, as part of security updates released on December 13, 2021. We encourage macOS users to apply these security updates as soon as possible.


According to The HackerNews publication, the bug was reported to Apple on the 15th of July 2021 by Microsoft 365 Defender Research Team. The experts’ team named this vulnerability powerdir.

With the release of macOS 11.6 and 12.1 updates from December last year, Apple addressed the issue concerning this macOS bug. Nevertheless, even if Apple carries out a policy that has the role to allow only apps that own full disk access to connect to TCC, researchers have discovered that a cyberattack might happen if a malicious app could retrieve sensitive data from the machine by bypassing the privacy preferences. This way, a threat actor might have the possibility to gain access to the microphone with the purpose of recording private conversations or making screenshots of the user’s sensitive data.

We discovered that it is possible to programmatically change a target user’s home directory and plant a fake TCC database, which stores the consent history of app requests. If exploited on unpatched systems, this vulnerability could allow a malicious actor to potentially orchestrate an attack based on the user’s protected personal data.


The danger lies in the fact that a hacker can edit the TCC database to make it give permission to any app they want if they achieve full disk access to this database. This way, an app can be enabled to run with new configurations.

Besides CVE-2021-30970, there were other two bypass vulnerabilities discovered previously related to the TCC database: CVE-2020-9934, respectively CVE-2020-27937, however, Apple patched both of them.

During the month of May 2021, the company also addressed a zero-day vulnerability dubbed CVE-2021-30713, that, if exploited successfully, could have let a hacker achieve full disk access, record the screen, and many more.

How Can Heimdal™ Help?

Vulnerabilities emerge every day, so security researchers are working continuously to address them in a timely manner. This proves the need for a proper vulnerability management strategy that could only be carried out efficiently with an automated Patch & Asset Management tool. Our product covers patches from Microsoft to third-party and proprietary ones with the shortest vendor-to-end-user-waiting time, this means that in less than 4 hours you have the patch fully tested and repackaged in your Heimdal™ Cloud, ready for deployment.

Did you enjoy this article? Follow us on LinkedInTwitterFacebookYoutube, or Instagram to keep up to date with everything we post!

Author Profile

Andra Andrioaie

Security Enthusiast

linkedin icon

Hi! My name is Andra and I am a passionate writer interested in a variety of topics. I am curious about the cybersecurity world and what I want to achieve through what I write is to keep you curious too!

Leave a Reply

Your email address will not be published. Required fields are marked *