Microsoft: Bug in powerdir server lets users bypass macOS login screen

by Don Sharpe
Don Sharpe
Don Sharpe
Don has been writing professionally for over 10 years now, but his passion for the written word started back in his elementary school days. His work has been... read more
Affiliate Disclosure
  • The TCC is a security technology that allows Apple users to control the privacy settings of the apps installed on their systems and devices connected to their devices.
  • Apple users with the new TCC will allow full disk access to apps with setup features to automatically prevent unauthorized code execution.
  • Finally Apple has been able to fix the vulnerability in security updates released late last year in December. 

Microsoft warns that the macOS vulnerability could be used to bypass the company’s Transparency, Consent, and Control (TCC) technology.

The Microsoft 365 Defender Research Team reported a vulnerability in Apple’s MacBook Pro model T5 to Apple via the Microsoft Security Vulnerability Research (MSVR) on July 15, 2021.

TCC is a security technology designed to allow Apple users to control the privacy settings of the apps installed on their systems and devices connected to their Macs, including cameras and microphones.

Apple has assured users that its new TCC will only allow full disk access to apps with set up features to automatically block unauthorized code execution.


Microsoft researchers discovered that cybercriminals could trick a user into clicking on a malicious link to gain access to personal information stored in a TCC database.

“We discovered that it is possible to programmatically change a target user’s home directory and plant a fake TCC database, which stores the consent history of app requests,” according to a principal security researcher at Microsoft, Jonathan Bar.

“If exploited on unpatched systems, this vulnerability could allow a malicious actor to potentially orchestrate an attack based on the user’s protected personal data.

“For example, the attacker could hijack an app installed on the device or install their own malicious app and access the microphone to record private conversations or capture screenshots of sensitive information displayed on the user’s screen.”

Reported TCC bypasses

Apple has also patched other TCC bypasses reported since 2020, including:

  • Environment variable poisoning 
  • Time Machine mounts 
  • Bundle conclusion issue 

Besides, Apple has fixed the vulnerability in security updates released last month, on December 13, 2021. “A malicious application may be able to bypass Privacy preferences,” as per the security advisory

Apple has dealt with the logic flaw behind the powerdir security flaw bug by developing better state management.

“During this research, we had to update our proof-of-concept (POC) exploit because the initial version no longer worked on the latest macOS version, Monterey,” Jonathan indicated.

“This shows that even as macOS or other operating systems and applications become more hardened with each release, software vendors like Apple, security researchers, and the larger security community, need to continuously work together to identify and fix vulnerabilities before attackers can take advantage of them.”


Microsoft today disclosed a security flaw, codenamed Shrootless, that would allow an attacker to bypass System Integrity Protection (SIP) and perform arbitrary operations, elevate privileges to root, and install rootkits on vulnerable devices.

The company’s researchers also discovered new variants of macOS malware known as UpdateAgent or Vigram, updated with new evasion and persistence tactics.

Last year, in June, a security researcher (Redmond) from Tactical Network Solutions revealed critical flaws in a number of NETGEAR router models. Hackers could use the flaws to breach and move laterally within enterprise networks.

Have you faced any of these setbacks? Share your thoughts with us in the comment section below.