Vulnerability in macOS Mojave allows to bypass new mechanisms of privacy protection

In his Twitter, Vordl noted that the “dark mode” of the new version of the OS looks great, and immediately called information on improved privacy protection “fake news”. In support of his words, the expert published a proof-of-concept video, which can be seen below.

Immediately after the release of the new version of macOS (Mojave), on September 24, 2018, the well-known information security specialist and co-founder of Digita Security, Patrick Wardle, reported the discovery of a 0-day vulnerability that allows deceiving improved privacy mechanisms. The fact is that users of macOS Mojave must provide their explicit consent to access to any local services, contacts, calendar, photos, camera, microphone and so on. In fact, this does not allow applications to do all this automatically, by simulating human actions.

In his Twitter, Vordl noted that the “dark mode” of the new version of the OS looks great, and immediately called information on improved privacy protection “fake news”. In support of his words, the expert published a proof-of-concept video, which can be seen below.

Video demonstrates that an unprivileged application can bypass privacy protection and gain access, for example, to the user’s address book, and confidential information contained therein.

Wardle explained to Bleeping Computer reporters that he would hold technical details of the new bug before the Mac Security conference in November 2018. At the same time, the researcher called the bug “trivial and 100% reliable”, although he noticed that his method allows to bypass not all privacy protection mechanisms implemented by macOS Mojave, and hardware components such as a webcam are out of danger.

 

Leave a Reply