Vulnerability in macOS allows hackers to perform “artificial clicks”

IT security audit specialists discovered a flaw that exploits a security feature in the macOS system used to prevent malicious applications from accessing the camera, microphone, or personal data without the user’s explicit consent.

The user’s privacy protection mechanisms in the macOS Mojave prevent applications installed from unofficial sources from being able to access information such as user contacts, location details, messages, among others, unless the user approve the action by clicking a pop-up box. “Privacy protection is the main reason why people choose Apple,” the company’s executives mentioned in announcing the launch of these protection measures.

However, it is possible to bypass this protection. The popup window where the system requests user approval can be deceived by using “artificial clicks”, made by a malicious actor outside the user’s device.

As the IT security audit specialists previously reported, it was possible to generate these artificial clicks using a tool preinstalled in macOS called AppleScript, or with the numeric keys of the keyboard. To prevent these features from being exploited by malicious users using malware, Apple decided to block any artificial click, which requires users to physically click the box to approve an action.

Patrick Warder, a former NSA employee and head of research at the IT security audit firm Digita Security, describes the method he discovered to bypass these protections in a relatively simple way.  The expert mentions that the flaw exists due to a white list of macOS applications with special permission to generate artificial clicks to prevent them from collapsing.

The applications are signed with a digital certificate that proves that it is a genuine development and has not been maliciously manipulated. If it has been modified in any way, the certificate shows an error and the operating system stops the implementation of the app. Because of this flaw, macOS only verifies the existence of the certificate, not the authenticity of the application, omitting the app’s manipulation verification.

“The system does not check the integrity of the software, so a manipulated version of an app included in the Apple white list could be exploited to perform artificial clicks”, adds the specialist.

The expert claims that this vulnerability is a second stage of attack, as it is necessary for an attacker to have physical access to the compromised device. According to specialists from the International Institute of Cyber Security (IICS), Apple has already been notified of this vulnerability, although the company has not made any comments about it.