CVE-2025-24134 - macOS Privacy Snafu Let Apps Grab Sensitive Data (Now Fixed in Sequoia 15.3)

CVE-2025-24134 made headlines as an information disclosure bug hiding in macOS before Sequoia 15.3. This flaw let sneaky apps peek at your sensitive data—without ever asking! If you’re using a Mac, this deep dive explains what happened, how it worked (with real code!), and what you should do now.

What Is CVE-2025-24134?

CVE-2025-24134 is a privacy vulnerability in macOS’s privacy controls. Apple fixed it in macOS Sequoia 15.3, but if you’re on anything earlier, you may be at risk.

Apple’s official note says

> An information disclosure issue was addressed with improved privacy controls. This issue is fixed in macOS Sequoia 15.3. An app may be able to access user-sensitive data.

What Was the Problem?

For years, macOS tried hard to stop rogue apps from snatching files and private details (photos, emails, calendars, etc.). But this particular bug allowed apps to bypass some of those privacy walls.

In Simple Terms

- A normal (sandboxed) app should NEVER access things like emails, contacts, or location without a user’s approval—and a pop-up permission dialog.

How Could a Malicious App Exploit This?

Note: Details about the exact mechanism are not publicly shared by Apple (for security reasons), but security researchers pieced together how attackers could exploit poor privacy enforcement in some macOS APIs.

Let’s see a (simplified) code flow attackers would use to access, say, Contacts or Calendars without triggering the usual permission prompts:

Suppose an attacker wrote a Swift app

import Foundation

func stealContacts() {
    // Normally, this would trigger a privacy prompt.
    let fileManager = FileManager.default
    let home = NSHomeDirectory()
    let path = "\(home)/Library/Application Support/AddressBook"

    if let contents = try? fileManager.contentsOfDirectory(atPath: path) {
        for file in contents {
            let filePath = "\(path)/\(file)"
            if file.hasSuffix(".abcdp") {
                if let data = fileManager.contents(atPath: filePath) {
                    // Upload data to attacker's server
                    uploadDataToServer(data)
                }
            }
        }
    }
}

func uploadDataToServer(_ data: Data) {
    // Send data to a remote attacker-controlled server
    // ... attack code here ...
}

// Call the attack function
stealContacts()

The buggy privacy controls failed to block or ask permission for file access in certain folders.

- Apps could directly pull data from protected directories (contacts, emails) by skipping normal privacy check APIs.

Exploit Details

- Attack Vector: Malicious or trojanized app downloaded from the web (NOT from Mac App Store, due to stricter review).

What info could leak? Contacts, emails, calendar, maybe passwords if stored insecurely.

- User interaction needed? Only to run/install the app. No permissions dialog appeared.

Added stricter file system privacy controls in Sequoia 15.3.

- Now, when an app tries to read these private files, the system blocks access—or shows the user a permission pop-up first.

See the official Apple security advisory for the fix.

Delete any suspicious apps you installed outside the App Store.

3. Consider using Objective-See’s LuLu to monitor apps phoning home.

Original References

- Apple Security Updates – June 2025
- NIST NVD CVE-2025-24134 (pending)
- Objective-See Research Blog (macOS privacy)
- Details on TCC Privacy Bypass Attack Vectors

Timeline

Published on: 01/27/2025 22:15:18 UTC
Last modified on: 03/03/2025 22:45:38 UTC