ASA-2019-00527 – Little Snitch: Privilege escalation vulnerability due to an exposed XPC interface

In an internal audit, Objective Development has found a privilege escalation vulnerability in the privileged helper tool of Little Snitch. The privileged helper exposes an XPC interface on a globally available communication endpoint without additional authorization checks on connecting clients. The XPC API is therefore available to any local process and allows listing of directories and copying of files with root privileges.