Apple Mac zero-day flaw lets a fake Safari app to run with administrator access

The launching of Apple’s Bug Bounty Program allowed the cybersecurity community to work together with the giant tech company to fix multiple security flaws that could have compromised users of this technology in exchange for significant sums of money, as mentioned by security testing course experts.

One of the most important reports that the company has received through this program refers to a zero-day flaw that could be exploited by threat actors to access the private files of users stored in the Safari browser, which would even affect the beta version of macOS Big Sur. The report was filed by researcher Jeff Johnson.

The attack requires tricking a user of Apple devices into downloading a seemingly harmless file from a malicious site that will be used by hackers to create a copy of the Safari app; the most dangerous thing is that the macOS system could not distinguish between the legitimate version and the browser copy.

As a result of the attack, any file that the Safari browser can access also becomes accessible to cybercriminals, security testing course experts mentioned. After completing the attack, hackers may automate some tasks, including sending documents exposed to malicious servers.

This flaw exists because Transparency, Consent and Control (TCC), Apple’s privacy protection system, allows for some exceptions that only require verifying an application’s ID, meaning that only a surface security check is performed. The vulnerability affects the Mojave, Catalina, and Big Sur versions of macOS.   

Although the flaw was reported in December 2019 and the company contacted the investigator to inform him that a security patch would be released, Johnson says Apple has not submitted payment for the report or released updates to correct these flaws: “It has already been more than 90 days, the reasonable disclosure period, and Apple doesn’t seem to have any intention of correcting this flaw and paying the bounty,” the researcher says.

There are many ethical hackers and security testing course experts who have complained about the slowness of Apple’s Rewards Program, which also means that the company takes too long to fix the flaws reported through this collaboration program with the cybersecurity community.

For further reports on vulnerabilities, exploits, malware variants and information security risks, it is recommended to enter the website of the International Institute of Cyber Security (IICS), as well as the official platforms of technology companies.