A vulnerability in macOS Finder allows files with the inetloc extension to run arbitrary commands. These files can be inserted inside emails, and when the user clicks on them, the commands embedded inside them are executed without prompting or warning.
This flaw was discovered by Park Minchan, an independent security researcher.
A flaw in the way macOS handles inetloc files leads it to run instructions embedded inside; the commands it runs can be local to macOS, allowing the user to execute arbitrary commands without warning or prompting.
Originally, inetloc files were shortcuts to an Internet location, such as an RSS feed or a telnet location; they contained the server address and, in some cases, a username and password for SSH and telnet connections; and they could be created by typing a URL in a text editor and dragging the text to the Desktop.
In this example, inetloc refers to a file:/ “protocol” that allows locally (on the user’s machine) stored files to be launched.
If the inetloc file is attached to an email, clicking on it will automatically activate the vulnerability.
The file:/ prefix has been disallowed (in the com.apple.generic-internet-location) in newer versions of macOS (since Big Sur), however they did a case matching, allowing File:/ or fIle:/ to bypass the check.
Below is a demonstration on how this vulnerability works: