Electron Capture TCC Bypass Vulnerability in macOS

A vulnerability in the Electron Capture application (elecap) on macOS, present in versions through 2.19.1, allows local unprivileged users to bypass macOS TCC (Transparency, Consent, and Control) privacy protections. This is achieved by exploiting misconfigured Electron fuses that enable the app to run as a Node.js interpreter, executing arbitrary code with inherited TCC permissions. The issue has been addressed in version 2.20.0.

Impact

Exploitation of this vulnerability leads to unauthorized access to TCC-protected resources, such as personal folders and sensitive hardware like the microphone and camera, without user consent. This bypass can be used to access protected data and resources, violating the intended macOS security model.

Reproduction

The vulnerability can be reproduced by launching the elecap application with the ELECTRON_RUN_AS_NODE environment variable set to true. This can be done manually or by creating a LaunchAgent that runs the application with the variable enabled. Once the application is running as a Node.js interpreter, it can execute code that accesses TCC-protected resources, such as the Documents folder.

Remediation

Users can update to Electron Capture version 2.20.0 or later, where this vulnerability has been fixed.