Apple today pushed the latest macOS Mojave system to users around the world. However, a security researcher said the new system contained a security enforcement vulnerability that could lead to the disclosure of personal user data. Patrick Wardle, the principal researcher at security company Digita Security, introduced the apparent weakness.
He pointed out that the vulnerability would allow an application without special permissions to bypass system-built system-level permissions and obtain user information for a specific application. Wardle has disclosed some security issues related to Apple, the most recent of which is the famous Mac application Adware Doctor secretly recording user information.
At the Global Developers Conference in June, Apple introduced an enhanced set of macOS security features that require users to provide explicit licenses to others using selected applications and hardware. Specifically, users need to be authorised to access information such as Mac cameras, microphones, mail history, messages, Safari, and more.
Wardle uploaded a short video to Twitter to demonstrate how to bypass at least one of the protection mechanisms. He first tried to access and copy contacts using the terminal, and the result failed. This was a result of the expected protection under Apple’s security mechanism. Next, Waddry ran an application with no special permissions called “Invasion Mojave” (breakMojave) to find and access Mac’s address book.
Mojave's 'dark mode' is gorgeous 🙌
…but its promises about improved privacy protections? kinda #FakeNews 😥
btw if anybody has a link to 🍎's macOS bug bounty program I'd 💕 to report this & other 0days -donating any payouts to charity 🙏
— patrick wardle (@patrickwardle) September 24, 2018
After a successful visit, Waddry was able to run a directory command to view all the files in the private folder, including metadata and images. In an interview, Wardle said that this demonstration is not a “general method” to bypass the enhanced permissions, but can be used to obtain protected data after the user logs in to macOS. For its part, it is unlikely to cause significant problems for most users, but it can cause trouble in certain situations.
He did not disclose the details of the vulnerability to protect the public but said he demonstrated the weakness to attract Apple’s attention because the company did not set up a vulnerability incentive mechanism for the Mac.
Apple launched the iOS Vulnerability Reward Program in 2016, which rewards $200,000 for vulnerabilities related to the secure boot firmware. However, Apple did not set up a similar reward mechanism for the Mac. With the disclosure of this vulnerability, Apple will ask for the details of the vulnerability and patch it in the next update.