Zero-day vulnerability in macOS Mojave bypasses system-level privacy permissions

Posted:
in macOS edited September 2018
Apple's macOS Mojave, which was released to users around the world on Monday, includes a faulty implementation of security protections that can potentially expose personal user data, according to one security researcher.

macOS Mojave Permissions


Outlined by Patrick Wardle of Digita Security, the apparent flaw allows an unprivileged app to bypass built-in system-level permissions and skim user information from certain apps. Wardle has uncovered a number of Apple-related security issues, the most recent being the exfiltration of sensitive user data by popular Mac App Store app Adware Doctor.

Apple during this year's Worldwide Developers Conference in June introduced an extended set of macOS security features that require users provide express permission to use select apps and hardware. Specifically, users need to authorize access to Mac's camera, microphone, Mail history, Messages, Safari, Time Machine and iTunes backups, locations, routines and system cookies when running macOS Mojave.

In a short video uploaded to Twitter, Wardle demonstrates a bypass to at least one of these protections.

The brief demonstration shows a first failed attempt to access and copy contacts through Terminal, an expected result under Apple's security measures. Wardle then runs an unprivileged app, aptly called "breakMojave," to locate and access Mac's Address Book.

With access secured, Wardle is able to run a list command to view all files in the private folder, including metadata and images.



Speaking to TechCrunch, Wardle said the exploit is "not a universal bypass" of the extended permissions feature, but noted the procedure can be leveraged to gain access to protected data when a user is logged in to macOS. As such, the flaw is unlikely to pose a major problem for most users, but could be troublesome in certain situations.

The security researcher is keeping details of the bug private to protect the general public, but said he aired the bypass to draw attention to Apple's lack of a bug bounty for Mac. Indeed, a cheeky line in Wardle's script reads, "Submitting report to [email protected] . .ERROR: macOS bug bounty program not found :/"

Apple currently runs an iOS bug bounty program, introduced in 2016, that pays out up to $200,000 for bugs related to secure boot firmware components, though the company has yet to roll out a similar incentives initiative for Mac.

With the bug now out in the open, Apple will undoubtedly inquire about its details and issue a patch in a coming update.

Comments

  • Reply 1 of 14
    While I want the OS to be secure, it always seems odd that they wait, until the day its released to reveal a security flaw..   What's wrong with actually showing Apple the issue long before the release, did it pop up only in the GM? Seems unlikely, since its only been available  a few days at most.  And yet while its an issue, someone would actually have to install some app that would have the flaw in it, and what are the chances of that..  about the same as the flaw.. Zero...
    gilly017lkrupp
  • Reply 2 of 14
    Maybe instead of wasting time on emoji they might want to spend some cash on security. 
    PetrolDaveanton zuykovmario
  • Reply 3 of 14
    Yes,  I suspect Apple is spending zero on macOS security. All those emoji are sucking the life out of their bank accounts. Reality check: this is an infinitesimally small exploit and risk requiring sophisticated knowledge and a “breaker” app and will be patched by the time you think up your next witty comment
    wlymrandominternetpersonmwhiteacejax805Rayz2016
  • Reply 4 of 14
    Lesson in all this: Don't upgrade your OSes for at least 4 months after release.
    mariospace2001
  • Reply 5 of 14
    chasmchasm Posts: 1,545member
    tyler82 said:
    Lesson in all this: Don't upgrade your OSes for at least 4 months after release.
    Not at all: your chances of being affected by this bug are 0.000000000001 percent, approximately. To put it another way: if you're using anything made by Google, or anything to do with Alexa, your private data is far more compromised than this exploit, even if you're the one-in-a-few-billion who is actually attacked by this before it is patched, could dream of.

    If you want to wait, of course that's your prerogative, but this ... is not a valid reason to do so.
    mwhitemarklarklostkiwi
  • Reply 6 of 14
    chasm said:
    tyler82 said:
    Lesson in all this: Don't upgrade your OSes for at least 4 months after release.
    Not at all: your chances of being affected by this bug are 0.000000000001 percent, approximately. To put it another way: if you're using anything made by Google, or anything to do with Alexa, your private data is far more compromised than this exploit, even if you're the one-in-a-few-billion who is actually attacked by this before it is patched, could dream of.

    If you want to wait, of course that's your prerogative, but this ... is not a valid reason to do so.
    While I don’t have a number for months to wait, I agree with waiting, from my personal experience. I usually aim for a month but it ends up being 9-10 months because I really don’t mind my MacBook being out of date. Being reliable is more important. 
  • Reply 7 of 14
    Has Apple ever commented on why they don’t have a bug bounty program for Mac OS comparable to their iOS program?  If nothing else it would be good PR (or reduce negative PR). 
    PetrolDavenumenoreanlostkiwi
  • Reply 8 of 14
    Rayz2016Rayz2016 Posts: 4,604member
    davgreg said:
    Maybe instead of wasting time on emoji they might want to spend some cash on security. 

    Your incredibly insightful post is unclear: is the problem time or cash?

    Were you aiming for a 'time is money' metaphor?

    Or do you simply believe that Apple security engineers work as graphic designers in their lunch breaks?


    edited September 2018
  • Reply 9 of 14
    Rayz2016Rayz2016 Posts: 4,604member

    Speaking to TechCrunch, Wardle said the exploit is "not a universal bypass" of the extended permissions feature, but noted the procedure can be leveraged to gain access to protected data when a user is logged in to macOS. As such, the flaw is unlikely to pose a major problem for most users, but could be troublesome in certain situations.
    Well, that's conveniently vague.

    The security researcher is keeping details of the bug private to protect the general public, but said he aired the bypass to draw attention to Apple's lack of a bug bounty for Mac. Indeed, a cheeky line in Wardle's script reads, "Submitting report to [email protected] . .ERROR: macOS bug bounty program not found :/"

    No, bug bounties work for open source software where volunteers can earn a reward for fixing the problem, not just discovering them.

    If Apple offered a bounty for bugs discovered then development would grind to a halt as every tom, dick and harry starts submitting poorly-tested scenarios and edge cases (as this one appears to be) as a bug. Apple simply wouldn't know which ones to start investigating. 

  • Reply 10 of 14
    tyler82 said:
    Lesson in all this: Don't upgrade your OSes for at least 4 months after release.
    Agreed. Absolutely no-one should update for 4 months. And then Apple should release new updates not in autumn, but in summer, so we can all finally update in autumn.
    edited September 2018
  • Reply 11 of 14
    gatorguygatorguy Posts: 20,618member
    Rayz2016 said:



    The security researcher is keeping details of the bug private to protect the general public, but said he aired the bypass to draw attention to Apple's lack of a bug bounty for Mac. Indeed, a cheeky line in Wardle's script reads, "Submitting report to [email protected] . .ERROR: macOS bug bounty program not found :/"

    No, bug bounties work for open source software where volunteers can earn a reward for fixing the problem, not just discovering them.

    If Apple offered a bounty for bugs discovered then development would grind to a halt as every tom, dick and harry starts submitting poorly-tested scenarios and edge cases (as this one appears to be) as a bug. Apple simply wouldn't know which ones to start investigating. 

    Then why does Apple have a bug bounty program for iOS? It's certainly not open-source.
  • Reply 12 of 14
    Is that proof of concept? So the malware must be run by the user manually from within Terminal to access contacts ???!!!
  • Reply 13 of 14
    dewmedewme Posts: 2,071member
    I agree with the researcher that Apple should provide a bug bounty for mac, not just iOS.

    In the meantime, don't install "breakMojave" app from the web or app store. ;) 
  • Reply 14 of 14
    volcanvolcan Posts: 1,789member
    seankill said:
    While I don’t have a number for months to wait, I agree with waiting, from my personal experience. I usually aim for a month but it ends up being 9-10 months because I really don’t mind my MacBook being out of date. Being reliable is more important. 
    I ignore update messages, sometimes for a month or so, not because I don't trust the update but because I hate rebooting my machine since I have lots of projects going on with lots of apps and windows open. My iMac and Mac Pro run 24/7. I just don't want to go through the hassle of closing down and relaunching everything. At the beginning of each calendar quarter I have to make an external backup so at that point I clean off my desktop, backup and install the upgrades.
Sign In or Register to comment.