CoreParsecLocation is a sample application demonstrating how a third-party app can access a user’s precise location without a user’s consent or permission.
CoreParsecalso provides information such as localized search suggestions, knowledge cards, and a temporary user ID. Thankfully, I do not believe the user ID is persisted or recycled at this time.
During a routine Frameworks expedition, I noticed an active
parsecd. After a few days of tinkering, I discovered that parsecd would respond to search queries from any application as long as I spoofed the correct header information. In this case, I used the SPPARSession class, which sets up a session for Spotlight.
At first, I assumed that the
PARResponseobject would only return a GeoIP location (which isn’t that useful on its own). However, after trying numerous search queries, I discovered that searching for “restaurants” would cause parsecd to grab the user’s precise location. It then returned the location information to me via the
parsecalso returns additional information, such as localized news results & search suggestions. I do not believe these contain any user-identifiable information at this time. After submission, I plan to further explore the additional responses. CVE-2022-46718 - CoreParsecLocation
Rascals are always sociable, and the chief sign that a man has any nobility in his character is the little pleasure he takes in others company. Arthur Schopenhauer