Ethical hackers prove having a Mac doesn't make you immune to cyberattacks

Posted:
in macOS
A pair of security researchers have successfully hacked a Mac belonging to billionaire film producer Jeffrey Katzenberg -- proving that owning a macOS device isn't an automatic defense against cyber threats.

MacBook Pro
MacBook Pro


Rachel Tobac, a social engineer and CEO of SocialProof Security, successfully carried out the attack on the unspecified macOS device. According to Tobac, the attack was a demonstration for identify theft protection firm Aura -- a company that Katzenberg invests in.

We just hacked a billionaire!
Got consent 1st then got to work hacking Jeffrey Katzenberg. @Evantobac & I stole his pics, emails, and contacts then turned on his mic (without an indicator light) & listened to his phone calls.
Here's the video on how we hacked a billionaire: pic.twitter.com/t63JJQccIr

-- Rachel Tobac (@RachelTobac)


Tobac leveraged a since-patched vulnerability and social engineering skills to get Katzenberg to click on a phishing link on a spoofed website. Once Katzenberg did so, she was able to steal photos, emails, and contacts from the Mac.

Additionally, the hacker was able to turn on the Mac's microphone and eavesdrop on Katzenberg without triggering the build-in macOS microphone indicator.

Tobac's husband Evan -- also a hacker and security researcher -- published another Twitter thread with details on the macOS vulnerability.

The exploit was built based on research from Ryan Pickren, who became notable when he was paid $100,500 for discovering a Safari Universal Cross-Site Scripting bug.

More specifically, the exploit leveraged the underlying bug to carry out an attack using iCloud links and Safari's sharing preferences. Importantly, the attack only worked because Katzenberg's Mac was out of date by several updates.

This attack worked because Jeffrey's OS/browser were out of date by close to 4 months.

4 months was enough for detailed descriptions of the vulnerabilities to become public, for me to read about them and incorporate them into an attack.

This is a good segue into mitigations.

-- Evan Tobac (@evantobac)


According to both Tobacs, some mitigations for the specific attack include keeping machines patched with the latest security updates, using at least two methods of verification for communications, and avoiding clicking on suspicious email links -- particularly if they are sent in an urgent manner.

Read on AppleInsider
TheWindIsRisinghighframerate

Comments

  • Reply 1 of 20
    So, what happen when someone uses an old Mac stuck with an old and unpatchable OS?
    watto_cobra
  • Reply 2 of 20
    Wesley HilliardWesley Hilliard Posts: 223member, administrator, moderator, editor
    alexjenn said:
    So, what happen when someone uses an old Mac stuck with an old and unpatchable OS?
    If you're on a device that old it is time to upgrade. macOS Monterey works on Macs released back to 2015. I think it is safe to say that's long enough.
    watto_cobra
  • Reply 3 of 20
    jimh2jimh2 Posts: 642member
    Nothing says sketchy like "hacking" a computer owned by an owner of the company the hacker works for. Are we really supposed to believe this was not a setup to generate business. Assuming it was not a setup, I still would never advertise this as being done because it looks like a setup. In fact I would be embarrassed to publish this shameless attempt at demonstrating cred.
    lkruppscstrrfwatto_cobra
  • Reply 4 of 20
    sflocalsflocal Posts: 6,110member
    "Hacking" is an overused and abused term.  No OS, regardless of the company is 100% secure.  This was a phishing attack.  There's a difference.


    dewmestompyscstrrfwatto_cobra
  • Reply 5 of 20
    maltzmaltz Posts: 474member
    Ethical hackers prove having a Mac doesn't make you immune to cyberattacks
    Who said that it did? Mac antivirus has been around as long as Windows and even DOS antivirus. The ONLY people I've ever heard cite that claim are people trolling Apple users accusing the Apple users of believing it.
    watto_cobra
  • Reply 6 of 20
    jimh2 said:
    Nothing says sketchy like "hacking" a computer owned by an owner of the company the hacker works for. Are we really supposed to believe this was not a setup to generate business. Assuming it was not a setup, I still would never advertise this as being done because it looks like a setup. In fact I would be embarrassed to publish this shameless attempt at demonstrating cred.
    Good lord, did you even read the story?
    watto_cobra
  • Reply 7 of 20
    crowleycrowley Posts: 10,453member
    alexjenn said:
    So, what happen when someone uses an old Mac stuck with an old and unpatchable OS?
    Switch to Linux
    brian.on.androidwatto_cobra
  • Reply 8 of 20
    There's a fun movie-intro with Robert Redford where he's paid to "hack" a bank.
    He physically breaks in at night, then hacks into the computers, creating fake accounts with $$$
    The next morning, in a suit, he goes in as a customer and closes the accounts.
    Teller asks politely why he's closing the accounts.
    "I didn't feel my $$$ was safe here", with a nice smile.
    Takes the briefcase upstairs in the bank to the board of directors conference room and opens it, with all the $$$.
    "You guys aren't that secure."

    watto_cobra
  • Reply 9 of 20
    zimmiezimmie Posts: 651member
    alexjenn said:
    So, what happen when someone uses an old Mac stuck with an old and unpatchable OS?
    For at least another version or two, OpenCore Legacy Patcher can help. It uses software developed for the Hackintosh community to run current macOS on older hardware. Depending on the exact model, you may need some post-installation patching, which prevents SIP. If you have a Metal-compatible video card, you can generally get everything: SIP, FileVault, read-only system volume, all the software security features available without a T-series chip.
    watto_cobra
  • Reply 10 of 20
    netroxnetrox Posts: 1,464member
    The biggest threat for me is the companies that hold my accounts and got exposed to hackers. 

    I've used computers as long as the Web existed and never got "hacked" personally but my accounts that got hacked was the companies who apparently failed to secure my accounts (Adobe and T-Mobile are examples) as reported by monitoring companies.  
     
    I always ignore phishing attempts. I know that IRS doesn't threaten me. I know that government will not seize my properties if I don't pay. It's not how it works. Yet we have so many people that actually believe that non-sense. 






    iqatedoAlex_Vwatto_cobra
  • Reply 11 of 20
    waveparticlewaveparticle Posts: 1,497member
    netrox said:
    The biggest threat for me is the companies that hold my accounts and got exposed to hackers. 

    I've used computers as long as the Web existed and never got "hacked" personally but my accounts that got hacked was the companies who apparently failed to secure my accounts (Adobe and T-Mobile are examples) as reported by monitoring companies.  
     
    I always ignore phishing attempts. I know that IRS doesn't threaten me. I know that government will not seize my properties if I don't pay. It's not how it works. Yet we have so many people that actually believe that non-sense. 






    First rate companies hire teams of excellent IT workers monitoring their systems 24 hours non-stop. 
    watto_cobra
  • Reply 12 of 20
    sevenfeetsevenfeet Posts: 469member
    And this is exactly why when there is an update from Apple, large or small, that I take every single device from my family members and patch it that day. For friends and family I help out with but don't see often, their machines are on auto-update. It's that important to keep up with patches since nearly all of them have security fixes these days.
    watto_cobra
  • Reply 13 of 20
    dewmedewme Posts: 5,549member
    sflocal said:
    "Hacking" is an overused and abused term.  No OS, regardless of the company is 100% secure.  This was a phishing attack.  There's a difference.


    Absolutely true on all counts. In any process, function, activity, or endeavor with a human in the loop, the human is almost always the weakest link. Hate to say it, but we kind of suck and need to put guardrails in place to protect us - from ourselves. Sigh ...
    watto_cobra
  • Reply 14 of 20
    GG1GG1 Posts: 483member
    crowley said:
    alexjenn said:
    So, what happen when someone uses an old Mac stuck with an old and unpatchable OS?
    Switch to Linux

    Just use the un-upgradable argument to justify a Studio! I did! (from a 2012 Mini stuck on 10.15)
    watto_cobra
  • Reply 15 of 20
    AppleZuluAppleZulu Posts: 2,098member
    No system is guaranteed to be invulnerable. 

    That said, these sorts of stories are always fascinating when you read the details and learn that the ‘exploit’ involves a user who has failed to implement multiple layers of basic precautions and/or an incredibly unlikely scenario for the hackers, like stealing a device, molesting and returning it undetected, etc. 

    Again, no system is invulnerable but when the exploit can be prevented by simply loading security updates within a reasonable time, is it really newsworthy?
    jas99watto_cobra
  • Reply 16 of 20
    mrstepmrstep Posts: 516member
    jimh2 said:
    Nothing says sketchy like "hacking" a computer owned by an owner of the company the hacker works for. Are we really supposed to believe this was not a setup to generate business. Assuming it was not a setup, I still would never advertise this as being done because it looks like a setup. In fact I would be embarrassed to publish this shameless attempt at demonstrating cred.
    Good lord, did you even read the story?
    Did jimh2 miss the part where the hacker works for a cyber-security company that Katzenberg invested in and then Katzenberg clicked a phishing link to get his machine infected? Oh no, it looks like jimh2 read that part correctly.
    jas99scstrrfAlex_Vwatto_cobra
  • Reply 17 of 20
    AppleZulu said:
    No system is guaranteed to be invulnerable. 

    That said, these sorts of stories are always fascinating when you read the details and learn that the ‘exploit’ involves a user who has failed to implement multiple layers of basic precautions and/or an incredibly unlikely scenario for the hackers, like stealing a device, molesting and returning it undetected, etc. 

    Again, no system is invulnerable but when the exploit can be prevented by simply loading security updates within a reasonable time, is it really newsworthy?
    It is still a good reminder for folks to keep their devices patched and to not click on suspicious links. As much and everyone reading this think it's obvious, there are still major hacks in the news that started this way.
  • Reply 18 of 20
    dk49dk49 Posts: 272member
    How were they able to spoof Anthony's phone number?
    watto_cobra
  • Reply 19 of 20
    AppleZuluAppleZulu Posts: 2,098member
    AppleZulu said:
    No system is guaranteed to be invulnerable. 

    That said, these sorts of stories are always fascinating when you read the details and learn that the ‘exploit’ involves a user who has failed to implement multiple layers of basic precautions and/or an incredibly unlikely scenario for the hackers, like stealing a device, molesting and returning it undetected, etc. 

    Again, no system is invulnerable but when the exploit can be prevented by simply loading security updates within a reasonable time, is it really newsworthy?
    It is still a good reminder for folks to keep their devices patched and to not click on suspicious links. As much and everyone reading this think it's obvious, there are still major hacks in the news that started this way.
    I have no issue with reminders that security requires end-user participation. My complaint is that so much of the reporting on these proof of concept hacks come with headlines and tone that suggest a broad threat, while the details describe a convoluted, impractical exercise that is only meaningful to the folks who carried it off and possibly a very limited number of other circumstances involving high-value, foolishly careless targets.
    watto_cobra
Sign In or Register to comment.