Quicklook operation for a single VCF (contact) file requires access to entire Contacts database even though technically not necessary

Originator:tempelmann
Number:rdar://FB13754641 Date Originated:25 Apr 24
Status:Open Resolved:
Product:macOS Product Version:14.4.1
Classification:Security issue Reproducible:Always
 
macOS requires an app to be given permission by the user to access the user’s contacts. That makes sense.

However, if an app just wants to show the contents of a single .vcf file through the quicklook API, then this file is not part of the user’s contacts that need such protection. For instance, this file might be something the user was just sent from the outside, and the user would like to preview the contents BEFORE importing the contact. That requires that the user can view it with Quicklook. The problem is that QL prompts the user to get the viewing app full access to the contacts even though s/he only wants to view this one file. It opens a security hole because the user may NOT WANT to allow the app full access to the user’s contacts, but is now required to grant it just to view this individual contact file.

I’d expect that when an app uses QL to view a contact file (which is outside the user’s contacts database storage location), that does always works - after all, the same app can also READ the contents itself, meaning that the file isn’t protected  from being read anyway, so there’s no sense in requiring the user to grant full contacts access to the app either.

To reproduce:

You need a program that uses QL to view arbitrary files. My app FindAnyFile does this, for instance, so I give instructions  for using it. Download it from findanyfile.app website or from the MAS.

1. Create a .vcf file, e.g. by opening the Contacts app, selecting a contact and export the contact to disk, e.g. to the Desktop.
2. Launch Find Any File and open a new results window with cmd-shift-N.
3. Drag the .vcf file from the Desktop into the Results window.
4. Select the file in the Results window and press the space bar to invoke Quicklook

See screenshot.

Result: A prompt to authorize FAF to have access to all contacts it presented. If the user declines, quicklook will not show the VCF contents. If the user allows access, QL will work on the file.

Expected behavior: QL should work without getting prompted to give access to ALL the user’s contacts, which is a security flaw the user may not want to give.

Comments

Apple feedback

Just got a note from Apple that this is now being look into. No confirmation that they can reproduce it, yet.

By tempelmann at May 20, 2024, 7:54 p.m. (reply...)

Please note: Reports posted here will not necessarily be seen by Apple. All problems should be submitted at bugreport.apple.com before they are posted here. Please only post information for Radars that you have filed yourself, and please do not include Apple confidential information in your posts. Thank you!