Bypass TCC via iCloud
Overview These vulnerabilities were first disclosed at TyphoonCon in Seoul during my talk What happens on your Mac, stays on Apple’s iCloud?! Bypassing Mac privacy mechanisms. I found 2 code injection opportunities in iMovie and GarageBand which allowed me impersonating their com.apple.private.icloud-account.access entitlements. Then, I was able to talk to iCloud XPC helper which gave me the user’s iCloud tokens. With these tokens, I was able to get all the data that is synchronized with iCloud and is normally protected via TCC (Contacts, Reminders, Calendars, Location, etc).