Poedit Transparency, Consent, and Control Permissions Bypass Vulnerability on macOS

A vulnerability exists in the macOS version of Poedit, where the application bundles a Python interpreter that inherits the Transparency, Consent, and Control (TCC) permissions granted to Poedit by the user. This allows an attacker with local user access to execute arbitrary commands or scripts using the Python interpreter, exploiting the application's TCC permissions to access files in privacy-protected folders, such as Documents, without prompting the user for permission. While accessing resources beyond the granted TCC permissions would trigger a user prompt, this could be used to disguise malicious intent. The vulnerability affects Poedit versions 2.0 through 3.6.3 and has been patched in version 3.6.3.

Impact

Exploitation of this vulnerability allows for unauthorized access to files in privacy-protected folders, bypassing normal user permission prompts. This could lead to the disclosure of sensitive information.

Remediation

Users can update to Poedit version 3.6.3 or newer to address this vulnerability. If using an older version, it is recommended not to grant Poedit permission to access protected folders. This can be managed through the System Settings under Privacy & Security, in the Files & Folders section.