A zero-day vulnerability in the brand-new version of the Apple Mojave macOS has been uncovered, which would allow an attacker to access private and confidential information by using an unprivileged app.
The flaw was found by Patrick Wardle, co-founder of Digita Security and creator of Objective-See Mac security tools. On Monday, Wardle announced on Twitter that: “Mojave’s ‘dark mode’ is gorgeous…but its promises about improved privacy protections? kinda #FakeNews.”
Mac Mojave 10.14, released on Monday, contains security fixes for several issues, and introduces new user data protections. These require explicit consent by users for apps to access sensitive areas like location services, contacts, calendars, reminders, photos and so on. It’s a measure meant to thwart malicious actors looking to use synthetic clicks to simulate human finger touches and gain access to private information. Now, authorization prompts pop up that require direct, real user interaction before an app can tap sensitive information. However, users can whitelist (i.e., preauthorize) trusted apps.
“I found a trivial, albeit 100% reliable flaw in their implementation,” Wardle told BleepingComputer, adding that it allows malicious or untrusted apps to bypass the new privacy mechanisms.
The tweet links to a minute-long Vimeo video that teases the vulnerability being used in Mojave’s dark mode, but it doesn’t actually reveal full PoC details – those will be delivered at Wardle’s upcoming Mac Security conference in November. It shows him accessing address book data – populated by demo entries including Edward Snowden, Santa Claus and alleged North Korean spy Park Jin-hyok. He then copies these to the desktop.
Technical details are scant, but Wardle said that the vulnerability exists in the way Apple “implemented the protections for various privacy-related data.” In the tweet thread, he goes on to say that all modes – not just dark mode – are affected by the flaw.
Access to the web cam, microphone and other hardware isn’t impacted by the flaw, he said (Mojave 10.14 also introduces authorization prompts for these).
Wardle on Twitter and in the video noted that there is no public macOS bounty program out there, so he’s still looking for a way to report the issue to Apple. The computing giant did not as of the time of writing connect with Wardle on Twitter, nor did it immediately respond to a request for comment from Threatpost.
In August at DEF CON, Wardle revealed a different Mac zero-day, which could allow a local attacker to virtually “click” a security prompt and thus load a kernel extension on systems running Apple’s latest High Sierra operating system. Kernel access on a Mac gives an adversary unparalleled access to a system and that can be used for full machine compromise.