Zero-day vulnerability in macOS Mojave bypasses system-level privacy permissions

Apple's macOS Mojave, which was released to users around the world on Monday, includes a faulty implementation of security protections that can potentially expose personal user data, according to one security researcher.

Outlined by Patrick Wardle of Digita Security, the apparent flaw allows an unprivileged app to bypass built-in system-level permissions and skim user information from certain apps. Wardle has uncovered a number of Apple-related security issues, the most recent being the exfiltration of sensitive user data by popular Mac App Store app Adware Doctor.

Apple during this year's Worldwide Developers Conference in June introduced an extended set of macOS security features that require users provide express permission to use select apps and hardware. Specifically, users need to authorize access to Mac's camera, microphone, Mail history, Messages, Safari, Time Machine and iTunes backups, locations, routines and system cookies when running macOS Mojave.

In a short video uploaded to Twitter, Wardle demonstrates a bypass to at least one of these protections.

The brief demonstration shows a first failed attempt to access and copy contacts through Terminal, an expected result under Apple's security measures. Wardle then runs an unprivileged app, aptly called "breakMojave," to locate and access Mac's Address Book.

With access secured, Wardle is able to run a list command to view all files in the private folder, including metadata and images.

[0day] Bypassing Mojave's Privacy Protections from patrick wardle on Vimeo.

Speaking to TechCrunch, Wardle said the exploit is "not a universal bypass" of the extended permissions feature, but noted the procedure can be leveraged to gain access to protected data when a user is logged in to macOS. As such, the flaw is unlikely to pose a major problem for most users, but could be troublesome in certain situations.

The security researcher is keeping details of the bug private to protect the general public, but said he aired the bypass to draw attention to Apple's lack of a bug bounty for Mac. Indeed, a cheeky line in Wardle's script reads, "Submitting report to [email protected]. . .ERROR: macOS bug bounty program not found :/"

Apple currently runs an iOS bug bounty program, introduced in 2016, that pays out up to $200,000 for bugs related to secure boot firmware components, though the company has yet to roll out a similar incentives initiative for Mac.

With the bug now out in the open, Apple will undoubtedly inquire about its details and issue a patch in a coming update.