September 26, 2018Swati Khandelwal
The same day Apple released its latest macOS Mojave operating system, a
security researcher demonstrated a potential way to bypass new privacy
implementations in macOS using just a few lines of code and access
sensitive user data.
On Monday, Apple started rolling out its new macOS Mojave 10.14
operating system update to its users, which includes a number of new
privacy and security controls, including authorization prompts.
Mojave 10.14 now pops up authorization prompts that require direct and
real user interaction before any unprivileged third-party application
can tap into users’ sensitive information, such as address books,
location data, message archives, Mail, and photos.
Patrick Wardle, an ex-NSA hacker and now chief research officer at
Digita Security, discovered a zero-day flaw that could allow an attacker
to bypass authorization prompts and access users’ personal information
by using an unprivileged app.
Wardle tweeted a video Monday showing how he was able to bypass the
permission requirements on a dark-themed Mojave system by running just a
few lines of code simulating a malicious app called “breakMojave,”
which allowed him to access to the address book and copy it to the macOS
desktop.
However, Wardle goes on to say that not just Mojave’s Dark Mode, but all modes are affected by the privacy bypass vulnerability.
“Mojave’s ‘dark mode’ is gorgeous…but its promises about improved privacy protections? kinda #FakeNews,” Wardle tweeted with a link to a minute-long Vimeo video.
Well, the privacy bypass flaw in Mojave seems to be concerning due to
its simplicity of carrying out personal data pilfering, with no
permissions required.
It should be noted that the flaw does not work with all of the new
privacy protection features implemented by Apple in macOS Mojave, and
hardware-based components, like the webcam and microphone, are not
affected.
Since there is no public macOS bounty program to report the
vulnerabilities, Wardle said on Twitter that he’s still looking for a
way to report the flaw to Apple.
Wardle has not released details beyond just the proof-of-concept video
until the company patches the issue in order to prevent abuse. Until
then, Mojave users are recommended to be cautious about what apps they
run.
Wardle is set to release more technical details of the vulnerability in his upcoming Mac Security conference in November.
Last month, Wardle publicly disclosed a different macOS zero-day flaw that could allow a malicious application installed on a targeted Mac
system running Apple’s High Sierra operating system to virtually “click”
objects without any user interaction or consent, leading to full system
compromise.