Vulnerability in macOS Mojave allows access to protected files

The flaw allows malicious actors to avoid privacy measures

An expert in cybersecurity and ethical hacking was able to demonstrate that Apple’s latest privacy protection implementations on macOS are not that strong, just on the day of the release of the latest Mojave version. Patrick Wardle showed that macOS security can be omitted to access confidential user data, such as information in the address book.

Defective implementation of the new security mechanism

Patrick Wardle mentions that he was able to access the confidential user address through a non-privileged application, which means that it was not executed with administrator permissions. The ethical hacking expert says that the zero-day vulnerability derives from the way Apple implemented the protections for various privacy-related data.

“I found a trivial flaw, although 100% reliable in its implementation”, said Wardle, adding that this vulnerability allows a malicious or unreliable application to bypass the new security mechanism and access confidential details without authorization.

Wardle says the found vulnerability does not work with all of the new Mojave privacy protection features, and hardware-based components such as the webcam are not affected by this flaw.

The expert in ethical hacking decided to reserve the technical details of his research until his participation in a cybersecurity related event. In a later test, Wardle attempted to copy the contents of the address book and deny the operation when the operating system requests permission. It then runs a non-privileged application that allowed him to copy the address book data to the desktop and provide access to the few entries he added for demonstration purposes.

Finally, he ran a non-privileged application that allowed him to copy the Address book data to the desktop

User Data protection on MacOS Mojave

As part of new user data protection measures in macOS Mojave, users must explicitly provide apps their consent to access their location, contacts, calendars, reminders, photos and other files and private information.

This means that applications can no longer do this automatically by simulating human interaction with the device (also known as synthetic clicks) using the prescribed APIs. Any such access is now blocked in Apple’s latest operating system, and an authorization notice is triggered for direct user interaction.

To reduce the hassle generated by authorization notices, Apple included a pre-authorization feature for the applications the user wants to use.

As experts in ethical hacking report from the International Institute of Cyber Security, this configuration can be done in the system preferences, security and privacy panel.