CVE-2021-30713

What is macOS Transparency, Consent, and Control (TCC)?

Transparency, Consent, and Control (TCC) is macOS's privacy permissions framework that controls application access to sensitive resources: camera, microphone, screen recording, contacts, calendar, location, photos, accessibility, and full disk access. When an app requests access to these resources for the first time, macOS shows a permission prompt asking the user to allow or deny the request. Granted permissions are stored in the TCC database. TCC is a critical security boundary — bypassing it allows malicious apps to silently access a user's camera and microphone, record their screen, or read sensitive personal data without ever showing a permission prompt. TCC bypass vulnerabilities are highly valued by spyware developers because they enable covert surveillance without user awareness.

Overview

CVE-2021-30713 is a missing authorization check vulnerability (CWE-862) in macOS's Transparency, Consent, and Control (TCC) framework. A malicious application with low privileges can exploit a flaw in TCC's authorization logic to inherit or bypass the permission grants of other trusted applications — gaining access to protected resources (camera, microphone, screen recording, contacts, calendar) without displaying a permission prompt or obtaining explicit user consent. Discovered by Jamf Threat Labs during analysis of the XCSSET malware, the bypass allowed XCSSET to access the screen recording permission silently by injecting into applications like Zoom or Microsoft Teams that already had screen recording granted. Apple patched this in macOS Big Sur 11.4 on May 24, 2021.

Affected Versions

Technical Details

• Root cause: Missing authorization check (CWE-862) in TCC — a flaw in the framework's permission inheritance or authorization validation logic allows an app to bypass the TCC database check for certain protected resource types under specific conditions
• TCC inheritance bypass: The XCSSET malware exploited this by injecting malicious code into legitimate applications (e.g., Zoom, Microsoft Teams, Skype) that already had TCC permissions for screen recording, microphone, and camera. The injected code inherited those permissions without triggering a new TCC prompt
• Silent access: The bypass allows access to protected resources without displaying any macOS permission dialog — the user sees no indication that their camera, microphone, or screen is being accessed
• Attack vector: Local (AV:L) with low privileges (PR:L) — the malicious app must be running on the macOS system with standard user privileges before exploiting the TCC bypass
• Surveillance capability: Access to camera, microphone, and screen recording constitutes the core capability of surveillance software; TCC bypass is therefore the key enabler for covert macOS spyware
• XCSSET delivery: The malware spread by injecting into Xcode projects (developer tools), so targets were disproportionately macOS developers — a high-value target for software supply chain attacks

Discovery

Discovered by Jamf Threat Labs security researchers (Stuart Ashenbrenner, Jaron Bradley, and Ferdous Saljooki) during analysis of XCSSET malware. Jamf published the research on May 18, 2021, disclosing the TCC bypass technique. Apple released macOS Big Sur 11.4 with the fix six days later on May 24, 2021. CISA added CVE-2021-30713 to KEV in November 2021, confirming active exploitation through the XCSSET malware campaign.

Exploitation Context

XCSSET is a macOS malware family that targets software developers by injecting malicious code into Xcode project files. When an infected developer builds and shares their project (or an infected app is distributed), the malware spreads. CVE-2021-30713 was the key capability enabling XCSSET to conduct covert surveillance — by injecting into trusted apps like Zoom or Teams (which have screen recording permissions), the malware could capture screenshots and record the screen without triggering TCC permission prompts that would alert the user. The developer focus is particularly insidious because developer machines often have elevated privileges and access to production systems, codebases, and signing certificates.

Remediation

1. Update macOS to Big Sur 11.4 or later — any current macOS release contains the fix
2. Enable automatic macOS software updates: System Preferences → Software Update → Automatically keep my Mac up to date
3. Review TCC permissions in System Preferences → Security & Privacy → Privacy to audit what apps have been granted access to camera, microphone, screen recording, and other sensitive resources; revoke any unexpected grants
4. For developers: scan Xcode projects for unexpected modifications or injected files, particularly before distributing projects publicly or to team members
5. Consider using XProtect and Malware Removal Tool (MRT), which Apple updates regularly to detect XCSSET and similar malware