Security Flaw in macOS Mojave Lets Hackers Access Protected Files
A security researcher demonstrated on Mojave's release day some potential flaws in Apple's latest privacy protection. Patrick Wardle showed how the security in the dark-themed macOS could be bypassed to reach sensitive user data, such as the information in the address book.
Talking to BleepingComputer, Wardle says that he was able to access the confidential user contacts via an unprivileged app, meaning that it did not run with administrator permissions. Wardle states that the zero-day exploit stems from the way Apple implemented the protections for various privacy-related data.
He further stated that the exploit allows a malicious or untrusted app to bypass the new security mechanism and access the sensitive details without authorization. The bypass he found does not work with all of Mojave's new privacy protection features, and hardware-based components such as the webcam are unaffected.
Warble is holding the technical details until his upcoming Mac Security conference Maui, Hawaii, in November. In a demo video, Wardle tries to copy the contents of the address book and denies the operation when the operating system asks for permission. He then runs an unprivileged app that allows him to copy the address book data to the desktop and reveals its contents.
As part of the new user data protections in macOS Mojave, users need to provide their consent manually for access to location services, contacts, calendars, reminders, photos, and other private information and files. Hence, applications can no longer do this automatically as access is now blocked, and an authorization prompt is triggered for direct user interaction.
Apple allows the user to pre-authorize the apps they want to allow access to the sensitive data which can be added to the system's Application Data category in the System Preferences, Security & Privacy panel. Wardle is a seasoned macOS veteran and is responsible for several Mac-centric security products. Hopefully, Apple should address the issue and patches it in the near future.