* [Vulnerabilities -& Threats](/vulnerabilities-threats)* [Application Security](/application-security)* [Data Privacy](/cyber-risk/data-privacy)* [Mobile Security](/endpoint-security/mobile-security)MacOS Safari ‘HM Surf’ Exploit Exposes Camera, Mic, Browser Data MacOS Safari ‘HM Surf’ Exploit Exposes Camera, Mic, Browser Data=================================================================================================================================Microsoft researchers toyed with app permissions to uncover CVE-2024-44133, using it to access sensitive user data. Adware merchants may have as well. .jpg?width=100&auto=webp&quality=80&disable=upscale ‘Picture of Nate Nelson, Contributing Writer’) [Nate Nelson, Contributing Writer](/author/nate-nelson)October 18, 2024 4 Min Read  Source: Delphotos via Alamy Stock Photo [](https://www.linkedin.com/sharing/share-offsite/?url=https://www.darkreading.com/vulnerabilities-threats/macos-safari-exploit-camera-mic-browser-data)[](http://www.facebook.com/sharer/sharer.php?u=https://www.darkreading.com/vulnerabilities-threats/macos-safari-exploit-camera-mic-browser-data)[](http://www.twitter.com/intent/tweet?url=https://www.darkreading.com/vulnerabilities-threats/macos-safari-exploit-camera-mic-browser-data)[](/cdn-cgi/l/email-protection#a09fd3d5c2cac5c3d49dedc1c3eff380f3c1c6c1d2c9808683d892979be8ed80f3d5d2c68683d892979b80e5d8d0cccfc9d480e5d8d0cfd3c5d380e3c1cdc5d2c18c80edc9c38c80e2d2cfd7d3c5d280e4c1d4c186c1cdd09bc2cfc4d99de9859290d4c8cfd5c7c8d4859290d4c8c5859290c6cfcccccfd7c9cec7859290c6d2cfcd859290e4c1d2cb859290f2c5c1c4c9cec7859290cdc9c7c8d4859290c9ced4c5d2c5d3d4859290d9cfd58e8590e48590e18590e48590e1859290edc1c3eff3859290f3c1c6c1d2c98592908683d892979be8ed859290f3d5d2c68683d892979b859290e5d8d0cccfc9d4859290e5d8d0cfd3c5d3859290e3c1cdc5d2c18592e3859290edc9c38592e3859290e2d2cfd7d3c5d2859290e4c1d4c18590e48590e1c8d4d4d0d38593e18592e68592e6d7d7d78ec4c1d2cbd2c5c1c4c9cec78ec3cfcd8592e6d6d5cccec5d2c1c2c9ccc9d4c9c5d38dd4c8d2c5c1d4d38592e6cdc1c3cfd38dd3c1c6c1d2c98dc5d8d0cccfc9d48dc3c1cdc5d2c18dcdc9c38dc2d2cfd7d3c5d28dc4c1d4c1)[](https://www.reddit.com/submit?url=https://www.darkreading.com/vulnerabilities-threats/macos-safari-exploit-camera-mic-browser-data&title=MacOS%20Safari%20’HM%20Surf’%20Exploit%20Exposes%20Camera%2C%20Mic%2C%20Browser%20Data) A security weakness in the Safari browser on macOS devices might have exposed users to spying, data theft, and other forms of malware.The issue is enabled by the special permissions Apple gives to its proprietary apps — in this case, its browser — and the ease with which an attacker can reach important app configuration files. In the end, it allows an attacker to bypass the [Transparency, Consent, and Control (TCC)](https://www.darkreading.com/vulnerabilities-threats/dprk-exploits-mitre-sub-techniques-phantom-dll-hijacking-tcc-abuse) security layer that MacBooks use to guard sensitive data. Its CVE entry, CVE-2024-44133, has earned a ‘medium’ severity 5.5 rating in the Common Vulnerability Scoring System (CVSS).Researchers from Microsoft have named their exploit of CVE-2024-44133 ‘[HM Surf](https://www.microsoft.com/en-us/security/blog/2024/10/17/new-macos-vulnerability-hm-surf-could-lead-to-unauthorized-data-access/).’ In a new blog post, they described how HM Surf could open the door to a user’s browsing data, camera, and microphone, as well as their device’s location, among other things. And the threat doesn’t only appear to be theoretical: There’s already inconclusive but not insignificant evidence to suggest that one adware program has already exploited CVE-2024-44133, or something quite like it, in the wild.Apple released a fix for CVE-2024-44133 in its update to macOS Sequoia back on Sept. 16.’It’s a serious concern, because of the unauthorized access it gives,’ says Xen Madden, cybersecurity expert at Menlo Security, emphasizing the need for organizations to update their macOS devices. But, she adds, ‘By the looks of it, most EDR tools will detect it, especially since Microsoft Defender is detecting it.’Exploiting HM Surf——————In any and all Apple devices, TCC is there to manage what sensitive data and features apps can access. If some app wants to access your camera, for example, thanks to TCC, you can rest assured that your Mac will ask for your permission first.Unless your app has a special ‘entitlement.’ Some of Apple’s proprietary apps possess entitlements — special permissions, approved by Apple, which allow them unique privileges compared to other apps. The core of why HM Surf works is Safari’s entitlement, ‘com.apple.private.tcc.allow,’ which allows it to bypass TCC at an app level, and apply it only on a per website (‘per origin’) basis. In other words, Safari can freely access your camera and microphone as it wishes, but any given website you visit through Safari likely cannot.Safari’s configuration — including the rules that define per-origin TCC protections — are stored in various files under -~/Library/Safari, within the user’s home directory. Manipulating these files could provide a path to [TCC bypass](https://www.darkreading.com/vulnerabilities-threats/zero-click-rce-bug-macos-calendar-exposes-icloud-data), though the home directory is itself TCC protected.Getting around that roadblock is simple, though, using the autological directory service command line utility (DSCL), a tool in macOS for managing directory services from the command line. In HM Surf, DSCL is used to temporarily change the home directory, removing the TCC umbrella shielding -~/Library/Safari. Now they could modify Safari’s per-origin TCC configurations — allowing all kinds of permissions for a malicious website of their own creation — before ultimately reinstating the home directory. Thereafter, if a user visited the malicious site, the site would have full rein to capture screenshots, location data, and more, without ever triggering a permission pop-up.Was CVE-2024-44133 Already Exploited?————————————-After concocting their exploit, Microsoft started scanning customer environments for activity that aligned with what they’d found. On one device, lo and behold, they spotted something quite closely resembling what they were looking for.It was a program digging into the victim’s Chrome configuration settings, adding approval for microphone and camera access to a specific URL. It also did more: gathering user and device information, laying the groundwork for a second-stage payload.This program, it turned out, was a well-known macOS adware program called ‘[AdLoad](https://www.darkreading.com/vulnerabilities-threats/mac-malware-dropping-adware-gets-more-dangerous).’ AdLoad hijacks and redirects browser traffic, pestering users with unwanted advertisements. It also goes further: harvesting user data, turning infected devices into nodes in a botnet, and acting as a staging ground for further malicious payloads.In its blog post, Microsoft noted that though AdLoad’s activity closely resembled the HM Surf technique, ‘Since we weren’t able to observe the steps taken leading to the activity, we can’t fully determine if the AdLoad campaign is exploiting the HM surf vulnerability itself.’ Still, it added, ‘Attackers using a similar method to deploy a prevalent threat raises the importance of having protection against attacks using this technique.’Dark Reading has contacted both Apple and Microsoft for further comment on this story. [](https://www.linkedin.com/sharing/share-offsite/?url=https://www.darkreading.com/vulnerabilities-threats/macos-safari-exploit-camera-mic-browser-data)[](http://www.facebook.com/sharer/sharer.php?u=https://www.darkreading.com/vulnerabilities-threats/macos-safari-exploit-camera-mic-browser-data)[](http://www.twitter.com/intent/tweet?url=https://www.darkreading.com/vulnerabilities-threats/macos-safari-exploit-camera-mic-browser-data)[](/cdn-cgi/l/email-protection#1f206c6a7d757a7c6b22527e7c504c3f4c7e797e6d763f393c672d282457523f4c6a6d79393c672d28243f5a676f7370766b3f5a676f706c7a6c3f5c7e727a6d7e333f52767c333f5d6d70686c7a6d3f5b7e6b7e397e726f247d707b6622563a2d2f6b77706a78776b3a2d2f6b777a3a2d2f7970737370687671783a2d2f796d70723a2d2f5b7e6d743a2d2f4d7a7e7b7671783a2d2f727678776b3a2d2f76716b7a6d7a6c6b3a2d2f66706a313a2f5b3a2f5e3a2f5b3a2f5e3a2d2f527e7c504c3a2d2f4c7e797e6d763a2d2f393c672d282457523a2d2f4c6a6d79393c672d28243a2d2f5a676f7370766b3a2d2f5a676f706c7a6c3a2d2f5c7e727a6d7e3a2d5c3a2d2f52767c3a2d5c3a2d2f5d6d70686c7a6d3a2d2f5b7e6b7e3a2f5b3a2f5e776b6b6f6c3a2c5e3a2d593a2d59686868317b7e6d746d7a7e7b767178317c70723a2d59696a73717a6d7e7d7673766b767a6c326b776d7a7e6b6c3a2d59727e7c706c326c7e797e6d76327a676f7370766b327c7e727a6d7e3272767c327d6d70686c7a6d327b7e6b7e)[](https://www.reddit.com/submit?url=https://www.darkreading.com/vulnerabilities-threats/macos-safari-exploit-camera-mic-browser-data&title=MacOS%20Safari%20’HM%20Surf’%20Exploit%20Exposes%20Camera%2C%20Mic%2C%20Browser%20Data) About the Author—————-.jpg?width=400&auto=webp&quality=80&disable=upscale ‘Nate Nelson, Contributing Writer’) [Nate Nelson, Contributing Writer](/author/nate-nelson)
Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes ‘Malicious Life’ — an award-winning Top 20 tech podcast on Apple and Spotify — and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts ‘The Industrial Security Podcast,’ the most popular show in its field. [See more from Nate Nelson, Contributing Writer](/author/nate-nelson) Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. [Subscribe](https://dr-resources.darkreading.com/free/w_defa3135/prgm.cgi)You May Also Like*** ** * ** ***More Insights Webinars* [Social Engineering: New Tricks, New Threats, New Defenses](https://dr-resources.darkreading.com/c/pubRD.mpl?secure=1&sr=pp&_t=pp:&qf=w_goog80&ch=SBX&cid=_upcoming_webinars_8.500001487&_mc=_upcoming_webinars_8.500001487)* [10 Emerging Vulnerabilities Every Enterprise Should Know](https://dr-resources.darkreading.com/c/pubRD.mpl?secure=1&sr=pp&_t=pp:&qf=w_cenu63&ch=SBX&cid=_upcoming_webinars_8.500001480&_mc=_upcoming_webinars_8.500001480)* [Simplify Data Security with Automation](https://dr-resources.darkreading.com/c/pubRD.mpl?secure=1&sr=pp&_t=pp:&qf=w_rubr114&ch=SBX&cid=_upcoming_webinars_8.500001488&_mc=_upcoming_webinars_8.500001488)* [Unleashing AI to Assess Cyber Security Risk](https://dr-resources.darkreading.com/c/pubRD.mpl?secure=1&sr=pp&_t=pp:&qf=w_dark71&ch=SBX&cid=_upcoming_webinars_8.500001492&_mc=_upcoming_webinars_8.500001492)* [Securing Tomorrow, Today: How to Navigate Zero Trust](https://dr-resources.darkreading.com/c/pubRD.mpl?secure=1&sr=pp&_t=pp:&qf=w_defa7186&ch=SBX&cid=_upcoming_webinars_8.500001490&_mc=_upcoming_webinars_8.500001490)[More Webinars](/resources?types=Webinar) Events* [State of AI in Cybersecurity: Beyond the Hype](https://darkreadingve.tradepub.com/c/pubRD.mpl?secure=1&sr=pp&_t=pp:&qf=w_defa6891&ch=SBX&cid=_session_16.500324&_mc=_session_16.500324)* [-[Virtual Event-] The Essential Guide to Cloud Management](https://iw-resources.informationweek.com/c/pubRD.mpl?secure=1&sr=pp&_t=pp:&qf=w_defa6833&ch=iwkSBX&cid=_session_16.500323&_mc=_session_16.500323)* [Black Hat Europe – December 9-12 – Learn More](https://www.blackhat.com/upcoming.html#europe?cid=_session_16.500321&_mc=_session_16.500321)* [SecTor – Canada’s IT Security Conference Oct 22-24 – Learn More](https://www.blackhat.com/sector/2024/?cid=_session_16.500320&_mc=_session_16.500320)[More Events](/events) ### Editor’s Choice[A laptop on the table with software update progress bar on screen ](/vulnerabilities-threats/5-cves-microsofts-october-2024-update-patch-now)[Vulnerabilities -& Threats](/vulnerabilities-threats) [5 Zero-Days in Microsoft’s October Update to Patch Immediately](/vulnerabilities-threats/5-cves-microsofts-october-2024-update-patch-now)[5 Zero-Days in Microsoft’s October Update to Patch Immediately](/vulnerabilities-threats/5-cves-microsofts-october-2024-update-patch-now) by[Jai Vijayan, Contributing Writer](/author/jai-vijayan) Oct 8, 2024 4 Min Read [Flags of Russia and Ukraine _Daniren_Alamy.jpg?width=700&auto=webp&quality=80&disable=upscale)](/cyber-risk/eu-sanctions-sabotage-cyberattacks-russia)[Cyber Risk](/cyber-risk) [EU Plans Sanctions for Cyberattackers Acting on Behalf of Russia](/cyber-risk/eu-sanctions-sabotage-cyberattacks-russia)[EU Plans Sanctions for Cyberattackers Acting on Behalf of Russia](/cyber-risk/eu-sanctions-sabotage-cyberattacks-russia) by[Jennifer Lawinski, Contributing Writer](/author/jennifer-lawinski) Oct 10, 2024 1 Min Read [A face scan of Indian Prime Minister Modi ](/threat-intelligence/ai-powered-cybercrime-cartels-asia)[Threat Intelligence](/threat-intelligence) [AI-Powered Cybercrime Cartels on the Rise in Asia](/threat-intelligence/ai-powered-cybercrime-cartels-asia)[AI-Powered Cybercrime Cartels on the Rise in Asia](/threat-intelligence/ai-powered-cybercrime-cartels-asia) by[Nate Nelson, Contributing Writer](/author/nate-nelson) Oct 10, 2024 4 Min Read Reports* [Managing Third-Party Risk Through Situational Awareness](https://dr-resources.darkreading.com/c/pubRD.mpl?secure=1&sr=pp&_t=pp:&qf=w_cybo171&ch=&cid=_analytics_7.300006016&_mc=_analytics_7.300006016)Jul 31, 2024* [2024 InformationWeek US IT Salary Report](https://iw-resources.informationweek.com/c/pubRD.mpl?secure=1&sr=pp&_t=pp:&qf=w_ingg253&ch=sbx&cid=_analytics_7.300006014&_mc=_analytics_7.300006014)May 29, 2024[More Reports](/resources?types=Report) Webinars* [Social Engineering: New Tricks, New Threats, New Defenses](https://dr-resources.darkreading.com/c/pubRD.mpl?secure=1&sr=pp&_t=pp:&qf=w_goog80&ch=SBX&cid=_upcoming_webinars_8.500001487&_mc=_upcoming_webinars_8.500001487)Oct 23, 2024* [10 Emerging Vulnerabilities Every Enterprise Should Know](https://dr-resources.darkreading.com/c/pubRD.mpl?secure=1&sr=pp&_t=pp:&qf=w_cenu63&ch=SBX&cid=_upcoming_webinars_8.500001480&_mc=_upcoming_webinars_8.500001480)Oct 30, 2024* [Simplify Data Security with Automation](https://dr-resources.darkreading.com/c/pubRD.mpl?secure=1&sr=pp&_t=pp:&qf=w_rubr114&ch=SBX&cid=_upcoming_webinars_8.500001488&_mc=_upcoming_webinars_8.500001488)Oct 31, 2024* [Unleashing AI to Assess Cyber Security Risk](https://dr-resources.darkreading.com/c/pubRD.mpl?secure=1&sr=pp&_t=pp:&qf=w_dark71&ch=SBX&cid=_upcoming_webinars_8.500001492&_mc=_upcoming_webinars_8.500001492)Nov 12, 2024* [Securing Tomorrow, Today: How to Navigate Zero Trust](https://dr-resources.darkreading.com/c/pubRD.mpl?secure=1&sr=pp&_t=pp:&qf=w_defa7186&ch=SBX&cid=_upcoming_webinars_8.500001490&_mc=_upcoming_webinars_8.500001490)Nov 13, 2024[More Webinars](/resources?types=Webinar) White Papers* [The State of Asset Security: Uncovering Alarming Gaps -& Unexpected Exposures](https://dr-resources.darkreading.com/c/pubRD.mpl?secure=1&sr=pp&_t=pp:&qf=w_defa6965&ch=SBX&cid=_whitepaper_14.500005790&_mc=_whitepaper_14.500005790)* [Generative AI Gifts](https://dr-resources.darkreading.com/c/pubRD.mpl?secure=1&sr=pp&_t=pp:&qf=w_senu28&ch=SBX&cid=_whitepaper_14.500005773&_mc=_whitepaper_14.500005773)* [SecOps Checklist](https://dr-resources.darkreading.com/c/pubRD.mpl?secure=1&sr=pp&_t=pp:&qf=w_senu25&ch=SBX&cid=_whitepaper_14.500005771&_mc=_whitepaper_14.500005771)* [SANS 2024 Security Awareness Report](https://dr-resources.darkreading.com/c/pubRD.mpl?secure=1&sr=pp&_t=pp:&qf=w_defa6822&ch=SBX&cid=_whitepaper_14.500005770&_mc=_whitepaper_14.500005770)* [SANS Security Awareness Maturity Model](https://dr-resources.darkreading.com/c/pubRD.mpl?secure=1&sr=pp&_t=pp:&qf=w_defa6823&ch=SBX&cid=_whitepaper_14.500005769&_mc=_whitepaper_14.500005769)[More Whitepapers](/resources?types=Whitepaper) Events* [State of AI in Cybersecurity: Beyond the Hype](https://darkreadingve.tradepub.com/c/pubRD.mpl?secure=1&sr=pp&_t=pp:&qf=w_defa6891&ch=SBX&cid=_session_16.500324&_mc=_session_16.500324)Oct 30, 2024* [-[Virtual Event-] The Essential Guide to Cloud Management](https://iw-resources.informationweek.com/c/pubRD.mpl?secure=1&sr=pp&_t=pp:&qf=w_defa6833&ch=iwkSBX&cid=_session_16.500323&_mc=_session_16.500323)Oct 17, 2024* [Black Hat Europe – December 9-12 – Learn More](https://www.blackhat.com/upcoming.html#europe?cid=_session_16.500321&_mc=_session_16.500321)Dec 10, 2024* [SecTor – Canada’s IT Security Conference Oct 22-24 – Learn More](https://www.blackhat.com/sector/2024/?cid=_session_16.500320&_mc=_session_16.500320)Oct 22, 2024[More Events](/events)
Related Tags:
NAICS: 54 – Professional
Scientific
Technical Services
NAICS: 335 – Electrical Equipment
Appliance
Component Manufacturing
NAICS: 541 – Professional
Scientific
Technical Services
NAICS: 33 – Manufacturing – Metal
Electronics And Other
Blog: Dark Reading
Software Discovery: Security Software Discovery
Software Discovery
Exploitation for Client Execution
Exploit Public-Facing Application
Associated Indicators: