Security researcher Patrick Wardle has disclosed a new security vulnerability in the latest version of macOS, Mojave, hours before the version was released. The researcher showed the privacy feature bypass in a video shared on Twitter. The original purpose of the privacy feature is to prevent apps from improperly accessing the user’s personal data.
In a conversation with TechCrunch, the researcher said that the vulnerability is not a universal bypass of the feature but it could still allow a malicious app to access protected user data, whenever the user is logged in. It should be noted that Apple forced apps for permission prior to accessing users’ contacts and calendar after some iOS apps were caught uploading sensitive user data. So, the company expanded the privacy feature to include apps asking for permission to access the device’s camera, microphone, email and backups, TechCrunch explained.
What Did Wardle’s Video Reveal?
In the video, the researcher shows how macOS at first is rejecting access to his stored contacts. However, after running an unprivileged script that mimicked a malicious app, the system copied all of his contacts to the desktop.
Out of concern for users’ security, the researcher hasn’t released further details about the vulnerability.
Nonetheless, he decided to release his video simply because he feels that Apple’s lack of a bug bounty program is a real obstacle for researcher to report security issues. In Wardle’s own words, other OS vendors have acknowledged that no software is safe from vulnerability but Apple is “sticking its head in the sand”.
To be more precise, Apple dis start a bug bounty program about 2 years ago but it was only meant for iOS bugs. On the other hand, Apple has been continuously disregarding the initiation of a bug bounty program for macOS, without giving any particular reason for that decision.
Curiously enough, this is not the first time Wardle releases information about a serious security loophole in Apple software. About a year ago the researcher revealed a password exfiltration exploit in a similar fashion – on the day Apple launched macOS High Sierra.
The researcher should reveal more about the newly discovered bug in macOS Mojave during the Objective-by-the-Sea conference in November.
Mojave is the fifteenth major release of macOS, and it was announced at the WWDC 2018, on June 4, 2018. Mojave was released to the public on September 24, 2018.