Ever since Apple announced enhanced privacy protection for macOS Mojave 10.14 last September, a dedicated band of researchers has been poking away at it looking for security flaws.
Embarrassingly for Apple, it’s not proved a tough challenge with the first turning up on launch day when one researcher reported a surprising bypass of privacy protection using an ordinary app (i.e. no admin permission) to access the address book.
Accessed via System Preferences > Security & Privacy > Privacy, other reported bypasses followed soon after, all apparently addressed by updates to Mojave.
Last week, just when it looked as if Apple might have got on top of the issue, StopTheMadness browser extension developer Jeff Johnson announced a new issue affecting all versions of Mojave including the 10.14.3 supplemental update released only days earlier.
According to Johnson, he discovered a way to access ~/Library/Safari without asking the system or user for permission – a directory that should only be accessible via privileged apps such as the macOS Finder.
There are no permission dialogs, it Just Works™. In this way, a malware app could secretly violate a user’s privacy by examining their web browsing history.
The only caveat was that the bypass doesn’t work for sandboxed apps and applied to those running outside that as “notarised” apps (i.e. those signed by a Developer ID that have passed Apple’s automated malware checks).
In a subsequent interview with Bleeping Computer, Johnson said he’d stumbled on the issue while working on his own Safari extension through an unspecified API:
So the bypass is nothing complex, it just requires Mac developer knowledge.
Just not iOS
Apple’s problem getting this feature to work is that it is trying to juggle two pressures that on iOS look easy by comparison – channelling apps’ access to sensitive folders (including Mail, Messages, Cookies, and Suggestions) through a consent layer without that becoming a chore.
It must also avoid causing problems for older apps built for a time when software’s right to access the information it wanted was taken for granted.
Is Apple closer to solving these niggles? The problem is the issue keeps getting bigger every time it’s looked at.
For instance, it appears to be common knowledge that privacy protection is powerless to stop someone bypassing it using Secure Shell to localhost (with remote login enabled).
Or perhaps using a ‘denial-of-patience’ attack in which a malevolent app continuously invokes tccutil to reset privacy settings until the user gives up in a hail of consent dialogues.
Johnson said he’d reported his discovery to Apple, which means that a future Mojave update should fix the bypass.
It’s already got its hands full fixing other security issues such as the KeySteal flaw that might allow an attacker to access passwords in the KeyChain password manager.
Joann Dettrey
Please explain to me how a company such as this doesn’t realize these factors until after a release to millions of people. Why is it that Naked Security can find these flaws but not Apple? Seriously, this isn’t a rhetorical question. I tried to update the mac os high Sierra. It totally froze my computer. Again, Why?? Thanks for the job you do. I almost updated with the Mojave Dark , after this info, NO WAY! THANK YOU FOR WHAT YOU DO. What else do you do I always need mac air help.
jet86
Firstly, security is hard. Defense requires you to protect against every theoretically possible vector of attack across the entire surface area of your product/hardware/whatever. A successful “attack” (or in the case of security researchers, successfully discovering a flaw) only requires one person to find one tiny hole/vulnerability.
Secondly, this flaw wasn’t discovered by Naked Security, but by an extension developer Jeff Johnson, as the article itself says. I’m not saying this to denigrate Naked Security or Sophos – I think Naked Security does a great job of reporting important issues – just to correct an apparent misunderstanding.
Thirdly, by not updating, you’re actually leaving yourself more vulnerable, not less. As per the article, this vulnerability affects all versions of Mojave, not just the latest, while the latest at least includes protections for other vulnerabilities that earlier versions did not. Also, if you’re on a version of macOS prior to Mojave, then directories which Mojave attempts to keep protected (such as the one affected by this vulnerability) weren’t protected by the OS anyway.
Paul Ducklin
What he said.
dilbertson
Lets be fully honest here, that defense is fast becoming invalid…if not invalid already.
AI/ML driven fuzzing on top of all the previous technologies on top of the in house expertise of the people who spend their lives in source and as such has far more excuses to understand the workings than any 3rd party app developers or security researchers.
I agree that the attack vs. defense dichotomy will mean that there is always something buried somewhere, but these kinds of exploits/flaws? found by humans? that fast? sorry guys, Apple are displaying some shockingly bad QC here.
They are of course in good company, Microsoft, Google and the rest are all dragging their feet on fixing QC issues (too many examples to reference), but then thats exactly what they can do so long as “IT Pros” keep offering confused end users these defenses on their behalf.
We should all really be doing a better job of explaining the issues when asked, at least then theres a chance end users can stamp their feet hard enough to prompt change….it really does happen (rare perhaps, but impossible if we keep excusing bad behavior)
jet86
It isn’t a defense, it’s an explanation – which is what OP asked for.
Eric
Hmm… It’s been a rough few months for Apple since they admitted that iOS slows processing speed as batteries age. Steve Jobs must be rolling in his grave.
DaTh
I’m confused. Is the following real or is this a scam.
macOS wants to access your Google Account
xxxxxxxxxxxxxx@gmail.com
This will allow macOS to:
Read, compose, send, and permanently delete all your email from Gmail
See, edit, download, and permanently delete your contacts
See, edit, share, and permanently delete all the calendars you can access using Google Calendar
View and send chat messages
Make sure you trust macOS
You may be sharing sensitive info with this site or app. Learn about how macOS will handle your data by reviewing its terms of service and privacy policies. You can always see or remove access in your Google Account.
Learn about the risks
Allow
Cancel
English (United States)
Mark Stockley
Hi, it’s impossible for us to answer these kind of questions unless we can say for sure that it’s a scam we’ve heard of, and it isn’t a scam we’ve heard of.
DaTh
P.S. My prior query, regarding the validity of a google post and Mojave OS has me puzzled. It has stopped me from getting emails, so notifications won’t help me there.