Ethical hackers prove having a Mac doesn't make you immune to cyberattacks

AppleInsider · March 16, 2022 6:20PM

A pair of security researchers have successfully hacked a Mac belonging to billionaire film producer Jeffrey Katzenberg -- proving that owning a macOS device isn't an automatic defense against cyber threats.

MacBook Pro

Rachel Tobac, a social engineer and CEO of SocialProof Security, successfully carried out the attack on the unspecified macOS device. According to Tobac, the attack was a demonstration for identify theft protection firm Aura -- a company that Katzenberg invests in.

We just hacked a billionaire!
Got consent 1st then got to work hacking Jeffrey Katzenberg. @Evantobac & I stole his pics, emails, and contacts then turned on his mic (without an indicator light) & listened to his phone calls.
Here's the video on how we hacked a billionaire: pic.twitter.com/t63JJQccIr
-- Rachel Tobac (@RachelTobac)
March 16, 2022

Tobac leveraged a since-patched vulnerability and social engineering skills to get Katzenberg to click on a phishing link on a spoofed website. Once Katzenberg did so, she was able to steal photos, emails, and contacts from the Mac.

Additionally, the hacker was able to turn on the Mac's microphone and eavesdrop on Katzenberg without triggering the build-in macOS microphone indicator.

Tobac's husband Evan -- also a hacker and security researcher -- published another Twitter thread with details on the macOS vulnerability.

The exploit was built based on research from Ryan Pickren, who became notable when he was paid $100,500 for discovering a Safari Universal Cross-Site Scripting bug.

More specifically, the exploit leveraged the underlying bug to carry out an attack using iCloud links and Safari's sharing preferences. Importantly, the attack only worked because Katzenberg's Mac was out of date by several updates.

This attack worked because Jeffrey's OS/browser were out of date by close to 4 months.

4 months was enough for detailed descriptions of the vulnerabilities to become public, for me to read about them and incorporate them into an attack.

This is a good segue into mitigations.
-- Evan Tobac (@evantobac)
March 16, 2022

According to both Tobacs, some mitigations for the specific attack include keeping machines patched with the latest security updates, using at least two methods of verification for communications, and avoiding clicking on suspicious email links -- particularly if they are sent in an urgent manner.

Read on AppleInsider

alexjenn · March 16, 2022 6:38PM

So, what happen when someone uses an old Mac stuck with an old and unpatchable OS?

wesley hilliard · March 16, 2022 7:01PM

alexjenn said:

So, what happen when someone uses an old Mac stuck with an old and unpatchable OS?

If you're on a device that old it is time to upgrade. macOS Monterey works on Macs released back to 2015. I think it is safe to say that's long enough.

jimh2 · March 16, 2022 7:20PM

Nothing says sketchy like "hacking" a computer owned by an owner of the company the hacker works for. Are we really supposed to believe this was not a setup to generate business. Assuming it was not a setup, I still would never advertise this as being done because it looks like a setup. In fact I would be embarrassed to publish this shameless attempt at demonstrating cred.

sflocal · March 16, 2022 7:23PM

"Hacking" is an overused and abused term. No OS, regardless of the company is 100% secure. This was a phishing attack. There's a difference.

maltz · March 16, 2022 7:47PM

Ethical hackers prove having a Mac doesn't make you immune to cyberattacks

Who said that it did? Mac antivirus has been around as long as Windows and even DOS antivirus. The ONLY people I've ever heard cite that claim are people trolling Apple users accusing the Apple users of believing it.

maddog_uk_69 · March 16, 2022 8:07PM

jimh2 said:

Nothing says sketchy like "hacking" a computer owned by an owner of the company the hacker works for. Are we really supposed to believe this was not a setup to generate business. Assuming it was not a setup, I still would never advertise this as being done because it looks like a setup. In fact I would be embarrassed to publish this shameless attempt at demonstrating cred.

Good lord, did you even read the story?

crowley · March 16, 2022 8:15PM

alexjenn said:

So, what happen when someone uses an old Mac stuck with an old and unpatchable OS?

Switch to Linux

eric_in_ct · March 16, 2022 8:21PM

There's a fun movie-intro with Robert Redford where he's paid to "hack" a bank.
He physically breaks in at night, then hacks into the computers, creating fake accounts with $$$
The next morning, in a suit, he goes in as a customer and closes the accounts.
Teller asks politely why he's closing the accounts.
"I didn't feel my $$$ was safe here", with a nice smile.
Takes the briefcase upstairs in the bank to the board of directors conference room and opens it, with all the $$$.
"You guys aren't that secure."

zimmie · March 16, 2022 8:37PM

alexjenn said:

So, what happen when someone uses an old Mac stuck with an old and unpatchable OS?

For at least another version or two, OpenCore Legacy Patcher can help. It uses software developed for the Hackintosh community to run current macOS on older hardware. Depending on the exact model, you may need some post-installation patching, which prevents SIP. If you have a Metal-compatible video card, you can generally get everything: SIP, FileVault, read-only system volume, all the software security features available without a T-series chip.

netrox · March 16, 2022 9:04PM

The biggest threat for me is the companies that hold my accounts and got exposed to hackers.

I've used computers as long as the Web existed and never got "hacked" personally but my accounts that got hacked was the companies who apparently failed to secure my accounts (Adobe and T-Mobile are examples) as reported by monitoring companies.

I always ignore phishing attempts. I know that IRS doesn't threaten me. I know that government will not seize my properties if I don't pay. It's not how it works. Yet we have so many people that actually believe that non-sense.

waveparticle · March 16, 2022 9:16PM

netrox said:

The biggest threat for me is the companies that hold my accounts and got exposed to hackers.

I've used computers as long as the Web existed and never got "hacked" personally but my accounts that got hacked was the companies who apparently failed to secure my accounts (Adobe and T-Mobile are examples) as reported by monitoring companies.

I always ignore phishing attempts. I know that IRS doesn't threaten me. I know that government will not seize my properties if I don't pay. It's not how it works. Yet we have so many people that actually believe that non-sense.

First rate companies hire teams of excellent IT workers monitoring their systems 24 hours non-stop.

sevenfeet · March 16, 2022 9:41PM

And this is exactly why when there is an update from Apple, large or small, that I take every single device from my family members and patch it that day. For friends and family I help out with but don't see often, their machines are on auto-update. It's that important to keep up with patches since nearly all of them have security fixes these days.

dewme · March 16, 2022 10:08PM

sflocal said:

"Hacking" is an overused and abused term. No OS, regardless of the company is 100% secure. This was a phishing attack. There's a difference.

Absolutely true on all counts. In any process, function, activity, or endeavor with a human in the loop, the human is almost always the weakest link. Hate to say it, but we kind of suck and need to put guardrails in place to protect us - from ourselves. Sigh ...

gg1 · March 17, 2022 12:00AM

crowley said:

alexjenn said:

So, what happen when someone uses an old Mac stuck with an old and unpatchable OS?

Switch to Linux

Dirty Pipe

Just use the un-upgradable argument to justify a Studio! I did! (from a 2012 Mini stuck on 10.15)

applezulu · March 17, 2022 1:54AM

No system is guaranteed to be invulnerable.

That said, these sorts of stories are always fascinating when you read the details and learn that the ‘exploit’ involves a user who has failed to implement multiple layers of basic precautions and/or an incredibly unlikely scenario for the hackers, like stealing a device, molesting and returning it undetected, etc.

Again, no system is invulnerable but when the exploit can be prevented by simply loading security updates within a reasonable time, is it really newsworthy?

mrstep · March 17, 2022 3:16AM

maddog_uk_69 said:

jimh2 said:

Nothing says sketchy like "hacking" a computer owned by an owner of the company the hacker works for. Are we really supposed to believe this was not a setup to generate business. Assuming it was not a setup, I still would never advertise this as being done because it looks like a setup. In fact I would be embarrassed to publish this shameless attempt at demonstrating cred.

Good lord, did you even read the story?

Did jimh2 miss the part where the hacker works for a cyber-security company that Katzenberg invested in and then Katzenberg clicked a phishing link to get his machine infected? Oh no, it looks like jimh2 read that part correctly.

brian.on.android · March 17, 2022 3:08PM

AppleZulu said:

No system is guaranteed to be invulnerable.

That said, these sorts of stories are always fascinating when you read the details and learn that the ‘exploit’ involves a user who has failed to implement multiple layers of basic precautions and/or an incredibly unlikely scenario for the hackers, like stealing a device, molesting and returning it undetected, etc.

Again, no system is invulnerable but when the exploit can be prevented by simply loading security updates within a reasonable time, is it really newsworthy?

It is still a good reminder for folks to keep their devices patched and to not click on suspicious links. As much and everyone reading this think it's obvious, there are still major hacks in the news that started this way.

dk49 · March 17, 2022 8:28PM

How were they able to spoof Anthony's phone number?

applezulu · March 18, 2022 3:20PM

brian.on.android said:

AppleZulu said:

No system is guaranteed to be invulnerable.

That said, these sorts of stories are always fascinating when you read the details and learn that the ‘exploit’ involves a user who has failed to implement multiple layers of basic precautions and/or an incredibly unlikely scenario for the hackers, like stealing a device, molesting and returning it undetected, etc.

Again, no system is invulnerable but when the exploit can be prevented by simply loading security updates within a reasonable time, is it really newsworthy?

It is still a good reminder for folks to keep their devices patched and to not click on suspicious links. As much and everyone reading this think it's obvious, there are still major hacks in the news that started this way.

I have no issue with reminders that security requires end-user participation. My complaint is that so much of the reporting on these proof of concept hacks come with headlines and tone that suggest a broad threat, while the details describe a convoluted, impractical exercise that is only meaningful to the folks who carried it off and possibly a very limited number of other circumstances involving high-value, foolishly careless targets.

Ethical hackers prove having a Mac doesn't make you immune to cyberattacks

Comments