A security researcher shows on Mojave’s release day that Apple’s latest privacy protection implementations in macOS are not sufficiently strong.
In a minute-long clip, Patrick Wardle shows that the security in the dark-themed macOS can be bypassed to reach sensitive user data, such as the information in the address book.
Faulty implementation of the new security mechanism
Wardle told he was able to access the confidential user contacts via an unprivileged app, meaning that it did not run with administrator permissions.
He says that the zero-day vulnerability stems from the way Apple implemented the protections for various privacy-related data.
“I found a trivial, albeit 100% reliable flaw in their implementation,” he told us, adding that it allows a malicious or untrusted app to bypass the new security mechanism and access the sensitive details without authorization.
Wardle says that the bypass he found does not work with all of Mojave’s new privacy protection features, and hardware-based components like the webcam are unaffected.
The researcher said that he’s holding the technical details until his upcoming Mac Security conference that he’s organizing in Maui, Hawaii, in November.
In the demo video below, Wardle tries to copy the contents of the address book and denies the operation when the operating system asks for permission.
He then runs an unprivileged app that allows him to copy the address book data to the desktop and provides access to the few entries he added for demo purposes.
User data protection in macOS Mojave
As part of the new user data protections in macOS Mojave, users need to provide their consent explicitly for access to location services, contacts, calendars, reminders, photos, and other private information and files.
What this means is that applications can no longer do this automatically by simulating human input (aka synthetic clicks) using prescribed APIs. Any such access is now blocked in Apple’s latest OS, and an authorization prompt is triggered for direct user interaction.
To reduce the annoyance generated by the authorization prompts, Apple allows the user to pre-authorize the apps they want to allow access to the sensitive data.
This is possible by adding them to the system’s Application Data category in the System Preferences, Security & Privacy panel.
Patrick Wardle is an experienced macOS hacker that and creator of several free security tools for Mac. He discovered multiple security bugs in Apple’s operating system, the latest one found by accident and presented at the Def Con conference in August.