Affiliate Disclosure
If you buy through our links, we may get a commission. Read our ethics policy.

Zero-day vulnerability in macOS Mojave bypasses system-level privacy permissions

Last updated

Apple's macOS Mojave, which was released to users around the world on Monday, includes a faulty implementation of security protections that can potentially expose personal user data, according to one security researcher.

Outlined by Patrick Wardle of Digita Security, the apparent flaw allows an unprivileged app to bypass built-in system-level permissions and skim user information from certain apps. Wardle has uncovered a number of Apple-related security issues, the most recent being the exfiltration of sensitive user data by popular Mac App Store app Adware Doctor.

Apple during this year's Worldwide Developers Conference in June introduced an extended set of macOS security features that require users provide express permission to use select apps and hardware. Specifically, users need to authorize access to Mac's camera, microphone, Mail history, Messages, Safari, Time Machine and iTunes backups, locations, routines and system cookies when running macOS Mojave.

In a short video uploaded to Twitter, Wardle demonstrates a bypass to at least one of these protections.

The brief demonstration shows a first failed attempt to access and copy contacts through Terminal, an expected result under Apple's security measures. Wardle then runs an unprivileged app, aptly called "breakMojave," to locate and access Mac's Address Book.

With access secured, Wardle is able to run a list command to view all files in the private folder, including metadata and images.

Speaking to TechCrunch, Wardle said the exploit is "not a universal bypass" of the extended permissions feature, but noted the procedure can be leveraged to gain access to protected data when a user is logged in to macOS. As such, the flaw is unlikely to pose a major problem for most users, but could be troublesome in certain situations.

The security researcher is keeping details of the bug private to protect the general public, but said he aired the bypass to draw attention to Apple's lack of a bug bounty for Mac. Indeed, a cheeky line in Wardle's script reads, "Submitting report to bugbounty@apple.com. . .ERROR: macOS bug bounty program not found :/"

Apple currently runs an iOS bug bounty program, introduced in 2016, that pays out up to $200,000 for bugs related to secure boot firmware components, though the company has yet to roll out a similar incentives initiative for Mac.

With the bug now out in the open, Apple will undoubtedly inquire about its details and issue a patch in a coming update.



14 Comments

normang 17 Years · 118 comments

While I want the OS to be secure, it always seems odd that they wait, until the day its released to reveal a security flaw..   What's wrong with actually showing Apple the issue long before the release, did it pop up only in the GM? Seems unlikely, since its only been available  a few days at most.  And yet while its an issue, someone would actually have to install some app that would have the flaw in it, and what are the chances of that..  about the same as the flaw.. Zero...

davgreg 9 Years · 1050 comments

Maybe instead of wasting time on emoji they might want to spend some cash on security. 

austinbaze 9 Years · 16 comments

Yes,  I suspect Apple is spending zero on macOS security. All those emoji are sucking the life out of their bank accounts. Reality check: this is an infinitesimally small exploit and risk requiring sophisticated knowledge and a “breaker” app and will be patched by the time you think up your next witty comment

tyler82 18 Years · 1107 comments

Lesson in all this: Don't upgrade your OSes for at least 4 months after release.

chasm 10 Years · 3624 comments

tyler82 said:
Lesson in all this: Don't upgrade your OSes for at least 4 months after release.

Not at all: your chances of being affected by this bug are 0.000000000001 percent, approximately. To put it another way: if you're using anything made by Google, or anything to do with Alexa, your private data is far more compromised than this exploit, even if you're the one-in-a-few-billion who is actually attacked by this before it is patched, could dream of.

If you want to wait, of course that's your prerogative, but this ... is not a valid reason to do so.