Microsoft says Powerdir vulnerability in macOS could have given attackers access to user data

Jan 12, 2022

The Microsoft 365 Defender Research Team has revealed that it discovered a security vulnerability in macOS Monterey. This is the 2nd time the Redmond company discovered a security issue in macOS, after the Shrootless vulnerability, that came to light in October 2021.

What is the Powerdir vulnerability?

It is a security loophole that impacts a component in macOS called Transparency, Consent, and Control (TCC). This technology prevent apps from accessing the user's personal data like the iCloud, Calendar, as well as hardware such as the camera, microphone and location.

Apple had a security feature in place to restrict apps from accessing TCC, this policy only allowed apps with full disk access to make changes. Microsoft's researchers discovered that changing the home directory of a user, and spoofing a fake TCC database in its place, was enough to allow apps to bypass TCC's protection and compromise the data it should have protected. This exploit could have potentially be used for targeted attacks, e.g. a hacker could install replace an app with a malicious one to record private conversations, take screenshots of the user's screen, aka spy on the user.

The above screenshot, from Microsoft's team, shows a proof-of-concept exploit to highlight how the Powerdir vulnerability was successful in gaining access to the user data. This is not the first time TCC has been found to be vulnerable, writes, Jonathan Bar Or, Senior Security Researcher at Microsoft. He notes that three such TCC related issues, namely Time Machine mounts (CVE-2020-9771), Environment variable poisoning (CVE-2020-9934), and Bundle conclusion issue (CVE-2021-30713), were patched by Apple since 2020. The report goes on to state that Microsoft was aware of other similar exploits, but these had been fixed by Apple, but when testing a fix for one of these, the researchers stumbled upon a new bug, Powerdir. Interestingly, the researchers had to update their proof-of-concept exploit, after a macOS update prevented the initial version from working.

Having confirmed that the bug in TCC could be exploited, Microsoft's Security Researchers shared their findings with Apple in July 2021, via Coordinated Vulnerability Disclosure (CVD), to allow the Cupertino company to patch the issue. Bleeping Computer notes that Microsoft collaborated with NETGEAR last year, to resolve critical bugs in the firmware of some router models, that hackers could have used to breach enterprise networks. It is good to see tech giants working together to protect users, but we have also seen independent security experts contribute to the ecosystem for the same cause.

Powerdir vulnerability has been patched in macOS 12.1 Update

Apple released the macOS 12.1 Update in December 2021, and this software update includes fixes for several security issues that were reported by researchers, and it includes a patch for the Powerdir vulnerability. The issue has been assigned the tag CVE-202-30970. Apple's Security Advisory mentions the Powerdir vulnerability's impact as" A malicious application may be able to bypass Privacy preferences." The description for the patch says that a logic issue was addressed with improved state management.

The vulnerability has also been patched in macOS Big Sur 11.6.2.

If you have not updated your macOS, you should install the patch as soon as possible.

Article Name
Microsoft discovers Powerdir vulnerability in macOS
Microsoft explains how the Powerdir vulnerability in macOS was discovered, and how it could have allowed attackers access to user data.
Ghacks Technology News

Previous Post: «
Next Post: «


  1. piomiq said on January 12, 2022 at 8:41 pm

    Wow. Microsoft found vulnerability in competition, whereas they have such hundreds or more per year.

  2. ULBoom said on January 12, 2022 at 7:44 pm


    MS did do that but as a pre-emptive strike against more anti-trust charges. It was when MS was ordered to pull IE out of Windows and came close to being broken up, around 1999-2000.

    Although the amount was a pittance, it had absolutely zip to do with MS being nice. Apple did great at creating a future market by loading schools with iMacs. Now they soak their cult with insane app and subscription charges, their hardware market is small.

    An iPhone costs 50% more per month just for service than an android phone on my basic carrier. I kept mine for a day, then sent it back; phones are commodities, most are almost identical. I saw nothing in that iPhone beside even more junk to disable or remove than android and very limited app choices.

  3. Klaas Vaak said on January 12, 2022 at 10:29 am

    @beemeup5: when Apple was almost down and out Steve Jobs went to Bill Gates, hat in hand, to ask for a bit of financial help. BG donated/lent him $150 million, which was the kick start Apple needed. Today Apple’s $3 trillion market cap is much higher than Microsoft’s.

    1. Clark said on January 12, 2022 at 2:22 pm

      Apple crossed $3 trillion but the market rejected it.

      I would say “much higher”

      Apple is $2.859 Trillion
      Microsoft is $2.364 Trillion

      Its a lot yea but at those values on that scale it isnt huge.

    2. iron_klasse said on January 12, 2022 at 12:45 pm

      Were u there?? Where the k-ick did u pull up this k-rap??

  4. beemeup5 said on January 12, 2022 at 9:35 am

    It’s nice to see that security researchers are equal opportunists but it is playfully ironic to see Microsoft helping out Apple. True bros they are!

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.