A security researcher has discovered “a new hole” in macOS Mojave’s privacy protections. The vulnerability exists in every version of Mojave, including macOS Mojave 10.14.3 Supplemental Update which was released on February 7.
The privacy hole was discovered by an application developer Jeff Johnson on February 8. The status of the vulnerability is currently unpatched. All versions of macOS Mojave are affected, even the most recent one released on February 7 – Mojave 10.14.3 Supplemental update.
MacOS Mojave Privacy Vulnerability Technical Resume
Shortly said, the latest version of macOS Mojave has a bug that could allow a malicious app to access data stored in restricted folders. These folders cannot be accessed by every app, Mojave provides special access to this folder for only a selected number of apps, such as Finder.
“On Mojave, certain folders have restricted access that is forbidden by default. For example, ~/Library/Safari”, the researcher explained. In Terminal app, users are not even able to list the contents of that folder:
$ ls Library/Safari
ls: Safari: Operation not permitted
$ sudo ls Library/Safari
Password:
ls: Safari: Operation not permitted
The researcher discovered a way to bypass the protections in Mojave and allow apps to look inside ~/Library/Safari without acquiring any permission from the system or from the user. Since there are no permission dialogues, a malicious app could secretly violate the user’s privacy by going through their web browsing history.
It should be noted Johnson’s bypass works with the “hardened runtime” enabled.
Thus, an app with the ability to spy on Safari could be “notarized” by Apple (as long as it passed their automated malware checks, which I suspect would be no problem). My bypass does not work with sandboxed apps, as far as I can tell, Johnson wrote.
It is curious to note that security researcher Patrick Wardle disclosed a similar [wplinkpreview url=”https://sensorstechforum.com/macos-mojave-privacy-feature-bypas-bug/”]privacy bypass in Mojave hours before the version was released.
The researcher showed the privacy feature bypass in a video shared on Twitter. The researcher showed how macOS at first was rejecting access to his stored contacts. However, after running an unprivileged script that mimicked a malicious app, the system copied all of his contacts to the desktop.
Milena Dimitrova
An inspired writer and content manager who has been with SensorsTechForum since the project started. A professional with 10+ years of experience in creating engaging content. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim
Follow Me: