It is always Patrick Wardle, this time the popular expert and former NSA hacker has found a zero-day flaw in macOS on Mojave ‘s release day.
According to the expert, the implementation bug can be exploited to access sensitive user data, including information in the address book.
The vulnerability resides in the implementation of the privacy-protection mechanisms for sensitive data.
The user data protection measures introduced in macOS Mojave force the users to provide the explicit consent for access sensitive data and files (i.e. location services, contacts, calendars, photos).
Applications can no longer do this automatically by simulating human input with synthetic clicks. Apple’s latest OS displays an authorization request for direct user interaction.
This is possible by adding them to the system’s Application Data category in the System Preferences, Security & Privacy panel.
Wardle was able to access the sensitive data using an unprivileged app.
“I found a trivial, albeit 100% reliable flaw in their implementation,” he told Bleeping computer.
Wardle explained that the exploitation of the zero-day issue only works on Mojave’s new privacy protection features.
Mojave's 'dark mode' is gorgeous 🙌
…but its promises about improved privacy protections? kinda #FakeNews 😥
btw if anybody has a link to 🍎's macOS bug bounty program I'd 💕 to report this & other 0days -donating any payouts to charity 🙏
— patrick wardle (@patrickwardle) September 24, 2018
Below the video PoC published by Wardle, it shows the expert that tries to copy the content of the address book and denies the operation when the operating system asks for permission. Wardle then uses an unprivileged app that allows him to access the address book data.
Wardle plans to present technical details of the zero-day flaw in the upcoming Mac Security conference in Maui, Hawaii, in November.
(Security Affairs – zero-day, Mojave)