https://wccftech.com/privacy-flaw-in-macos-allows-safari-clone-to-run-with-full-access/

A privacy flaw in macOS discovered by developer Jeff Johnson allows full access to private files within Safari's app folders. The zero-day exploit can give a Safari clone app full access to the user's files, tricking them into using it which could enable a hacker to steal their data. The bug was first reported to Apple in December 2019, and impacts macOS 10.14 and later operating system versions.

The flaw, reported by developer Jeff Johnson, exists in the privacy protections system called TCC (Transparency, Consent, and Control) in macOS, which is supposed to prevent unauthorized apps from accessing protected files on your Mac. TCC superficially checks the code signature of an app, and grants exceptions based on its bundle identifier. This means that a hacker can theoretically make a clone of Safari app, place it in a different location on the Mac and modify it to steal data. Due to the privacy protections flaw, the cloned Safari app will still be able to access the private data that the original Safari app has access to.