Ethical hackers prove having a Mac doesn't make you immune to cyberattacks

MacBook Pro

Rachel Tobac, a social engineer and CEO of SocialProof Security, successfully carried out the attack on the unspecified macOS device. According to Tobac, the attack was a demonstration for identify theft protection firm Aura — a company that Katzenberg invests in.

Tobac leveraged a since-patched vulnerability and social engineering skills to get Katzenberg to click on a phishing link on a spoofed website. Once Katzenberg did so, she was able to steal photos, emails, and contacts from the Mac.

Additionally, the hacker was able to turn on the Mac's microphone and eavesdrop on Katzenberg without triggering the build-in macOS microphone indicator.

Tobac's husband Evan — also a hacker and security researcher — published another Twitter thread with details on the macOS vulnerability.

The exploit was built based on research from Ryan Pickren, who became notable when he was paid $100,500 for discovering a Safari Universal Cross-Site Scripting bug.

More specifically, the exploit leveraged the underlying bug to carry out an attack using iCloud links and Safari's sharing preferences. Importantly, the attack only worked because Katzenberg's Mac was out of date by several updates.

According to both Tobacs, some mitigations for the specific attack include keeping machines patched with the latest security updates, using at least two methods of verification for communications, and avoiding clicking on suspicious email links — particularly if they are sent in an urgent manner.