Techly NewsGet the app

Get the latest tech news

Can you trust that permission pop-up on macOS?


A security research blog.

The TCCAccessRequestIndirect function included a logic bug that resulted in the behavior I described at the start of this article: where a sender could specify one app which would be used to build and display the user consent prompt while also specifying another that would actually be inserted into the database as the one that requested the service. Consent prompts for access to specific directories could also be spoofed, but additional layers of security around files made it not very useful (although, unrelated, Apple did recently patch a filesystem-based sandbox escape). In this hypothetical example, if you were unfortunate enough to be tricked by the above prompt and click Allow you would be giving some unknown app half of what it needs to ultimately change your home folder, plant a fake TCC.db, and bypass the real database.

Get the Android app

Or read this on Hacker News

Read more on:

Photo of macOS

macOS

Photo of cve-2025

cve-2025

Related news:

News photo

Show HN: Oliphaunt – A native Mastodon client for macOS

News photo

Apple Seeds macOS Sequoia 15.5 Release Candidate

News photo

How to Share Safari Tab Groups in macOS

« A Proven Guide to Building Your Path to Success
Amazon quietly drops HUGE sale on Garmin smartwatches — here are the 5 deals that matter »