Apple Patches Zero-Day Flaw in MacOS that Allows for Sneaky Screenshots

Apple Singapore Store

Security researchers at Jamf discovered the XCSSET malware exploiting the vulnerability, patched in Big Sur 11.4, to take photos of people’s computer screens without their knowing.

Apple has patched a critical bug in macOS that could be exploited to take screenshots of someone’s computer and capture images of their activity within applications or on video conferences without that person knowing.

Apple addressed the vulnerability—discovered by researchers at enterprise cybersecurity firm Jamf— in the latest version of macOS, Big Sur 11.4, released on Monday, the company told Forbes, according to a published report.

Researchers said they discovered that the XCSSET spyware was using the vulnerability, tracked as CVE-2021-30713, “specifically for the purpose of taking screenshots of the user’s desktop without requiring additional permissions,” according to a post on the Jamf blog.“This activity was discovered during analysis of XCSSET that they made “after noting a significant uptick of detected variants observed in the wild,” researchers said. Apple so far has not provided specific details about the vulnerability in its entry in the CVE database.

The flaw works by bypassing the Transparency Consent and Control (TCC) framework, which controls what resources applications have access to, “such as granting video collaboration software access to the webcam and microphone, in order to participate in virtual meetings,” according to the Jamf post.

“The exploit in question could allow an attacker to gain Full Disk Access, Screen Recording, or other permissions without requiring the user’s explicit consent–which is the default behavior,” researchers said.

History of a Spyware

Trend Micro discovered the XCSSET malware last August when researchers noticed cybercriminals injecting malware into Xcode developer projects, resulting in a propagation of infections. They identified the malware as a suite called XCSSET, which can hijack the Safari web browser and inject various JavaScript payloads that can steal passwords, financial data and personal information, deploy ransomware, and perform other malicious functions.

At the time Trend Micro researchers noticed XCSSET using two zero-day flaws to do its dirty work—one in Data Vault that allowed it to bypass macOS’ System Integrity Protection (SIP) feature; and one in Safari for WebKit Development that allowed universal cross-site scripting (UXSS).

Now it appears a third zero-day flaw can be added to the list of those XCSSET can exploit, according to Jamf, which described in detail how the spyware takes advantage of the bug to bypass the TCC.

Upon a deep dive into the spyware, the Jamf Protect detection team members noticed an AppleScript module titled “screen_sim.applescript” with a check called “verifyCapturePermissions” being used to search for an app with permissions to capture a screenshot from a list of installed apps. The list was derived from an earlier check of the following software appID’s, referred to by the malware as “donorApps.”

“As expected, the list of application IDs that are targeted are all applications that users regularly grant the screen-sharing permission to as part of its normal operation,” researchers wrote. “The malware then uses the following mdfind command–the command-line-based version of Spotlight–to check if the appID’s are installed on the victim’s device.”

If any of those IDs are found on the system, the command returns the path to the installed application and, with this information, XCSSET crafts a custom AppleScript application and injects it into the installed, donor application.

For example, if the virtual meeting app Zoom ( is found on the system, the malware will place itself like this: /Applications/ If the victim machine is running macOS11 or greater, it will then sign the avatarde application with an ad-hoc signature, or one that is signed by the computer itself, researchers said.

XCSSET can then take screenshots or record the screen when the victim is using Zoom without needing explicit consent from the user, inheriting those TCC permissions outright from the Zoom parent app. Researchers found that XCSSET also can use the flaw to hijack other permissions beyond screensharing as well.

MacOS Threats on the Rise

Apple’s latest security woe comes on the heels of an Apple exec publicly lamenting the level of malware against the Mac platform, calling it “unacceptable” in testimony in a California court last Wednesday for a lawsuit (PDF) brought against the company by Epic Games, maker of Fortnite.

Apple head of software engineering Craig Federighi used the threat level as an excuse for Apple’s tight restrictions on the software that is allowed to run on its platform and sell within its iOS App Store.

Indeed, 2021 has been a less-than stellar year so far for Apple security. Earlier this month, Apple released a quartet of unscheduled updates for iOS, macOS, and watchOS, to slap security patches on flaws in its WebKit browser engine.

A week before that, Apple patched a zero-day vulnerability in its MacOS that can bypass critical anti-malware capabilities and which a variant of the notorious Mac threat Shlayer adware dropper already had been exploiting for several months.

The company kicked off the year by removing a contentious macOS feature that allowed some Apple apps to bypass content filters, VPNs and third-party firewalls. They quickly followed that up with an emergency update to patch three zero-day vulnerabilities discovered in iOS after a major software update in November of last year already fixed three that were being actively exploited.

Join Threatpost for “A Walk On The Dark Side: A Pipeline Cyber Crisis Simulation”– a LIVE interactive demo on Wed, June 9 at 2:00 PM EDT. Sponsored by Immersive Labs, find out whether you have the tools and skills to prevent a Colonial Pipeline-style attack on your organization. Questions and LIVE audience participation encouraged. Join the discussion and Register HERE for free.

Suggested articles