Security Weakness in Safari Browser on macOS Devices Exposed Users to Spying and Data Theft

A security flaw in the Safari browser on macOS devices has potentially put users at risk of spying, data theft, and malware attacks. The vulnerability, known as CVE-2024-44133, was rated a 5.5 on the Common Vulnerability Scoring System (CVSS) due to its “medium” severity.

Researchers from Microsoft have named their exploit of this vulnerability “HM Surf,” which can bypass the Transparency, Consent, and Control (TCC) security layer on MacBooks, granting unauthorized access to browsing data, camera, microphone, and location information. While Apple has released a fix for CVE-2024-44133 in the macOS Sequoia update, there is evidence to suggest that an adware program, possibly AdLoad, has already exploited a similar vulnerability in the wild.

The core of the HM Surf exploit lies in Safari’s entitlement, which allows the browser to bypass TCC restrictions at an app level and apply them only on a per-origin basis. By manipulating Safari’s configuration files stored in the user’s home directory, attackers can modify TCC protections for malicious websites, granting them unrestricted access to sensitive data without triggering permission requests.

Microsoft discovered activity resembling the HM Surf technique in a well-known macOS adware program, AdLoad, which not only bombards users with unwanted ads but also steals user data and acts as a staging ground for further malicious payloads. While the connection to HM Surf is not definitive, the similarity in tactics underscores the need for robust protection against such exploits. Apple and Microsoft have been reached out to for further comments on this developing story.