This is a quick blogpost about a vulnerability I covered in our Black Hat Europe 2022 talk with Wojciech Regula. In contrary to what people would expect, clients which can access location services are not maintained in one of the TCC databased, but in a separate location, and it’s maintained by locationd. This has been also recently covered by Howard Oakley, in his Privacy: what TCC does and doesn’t blogpost.
