“Sandboxed Mac Apps Can Record Your Screen at Any Time Without You Knowing,” but Apple Doesn’t Seem to Care
Any macOS app, sandboxed or not can take screenshots of your Mac silently without you having any clue, claimed one security researcher over the weekend. Felix Krause made it to the headlines just a few months back when he showed how easy it was to phish users on iOS. In the latest, Krause suggests that Apple is ignoring a flaw that enables apps to read text on the screen using basic OCR (Optical Character Recognition) software and take screenshots.
Krause adds that any app can use CGWindowListCreateImage function to take screenshots of the screen without user permission. "In my experiments, I piped the generated image over to a OCR library and was able to get all text that was rendered on the user’s machine," he writes. While unverified and untested, Krause also suggests that this access could also be used to access all connected monitors. His blog post reads:
Any Mac app, sandboxed or not sandboxed can:
- Take screenshots of your Mac silently without you knowing
- Access every pixel, even if the Mac app is in the background
- Use basic OCR software to read the text on the screen
- Access all connected monitors
Talking about the worst case scenarios, Krause says that apps can read password and keys from password managers, "detect what web services you use, read all emails and messages you open on your Mac, learn personal information about the user, like their bank details, salary, address, etc."
Apple didn't respond to researcher's Mac security issue report
In an email to Wccftech, Krause said that Apple hasn't responded to his bug report yet, which is why he had to go public. "I'm sure it will be resolved soon though," he hopes.
Offering fixes to this issue, the security researcher wrote that there needs to be some kind of control and user should be in charge with a permission dialog. "Additionally the user should be notified whenever an app accesses the screen," he adds.
"There are lots of valid use-cases for Mac apps to record the screen, e.g. 1Password 2fA support, screen recording software or even simple screen sharing via your web browser or Skype. However there must be some kind of control," Krause warned. While the fixes he has proposed look almost basic and straightforward, it's unclear why Apple has ignored this issue and hasn't yet implemented a fix.