The popular white hat hacker Patrick Wardle, co-founder and chief research officer at Digita Security, discovered a vulnerability that could be exploited to bypass security warnings by performing ‘Synthetic Clicks’ on behalf of users without requiring their interaction.
In June, Apple introduced a core security feature in MacOS that force applications into taking permission from users before accessing sensitive data or components
Wardle disclosed the issue over the weekend during the meeting arranged by his company.
Wardle explained that a “subtle code-signing issue” in macOS could allow the hack of any trusted application to generate synthetic clicks, bypassing the core security feature introduced in 2018. Malware developers and hackers might use synthetic mouse-click attacks to emulate human behavior in approving security warnings.
The attack could be triggered by an attacker with local access to the device when the screen is dimmed, this means that it could be very difficult to spot.
According to Wardle, no special privileges are required to carry out the attack.
The attack ties the Transparency Consent and Control (TCC) system, which maintains databases for privacy control settings. The system also includes a compatibility database, stored in the AllowApplicationsList.plist. This database is used to manage access to protected functions for specific versions of apps with specific signatures, it works as a sort of whitelist.
Wardle explained that an attacker can modify one of the applications in the whitelist and execute it to generate synthetic clicks. An attacker can download a modified version of the targeted app and run it. Apple is not able to detect the changes to the targeted app due to a flaw in code validation checks.
The security updates released by Apple over the time failed in completely addressing the issue allowing the expert to launch synthetic click attacks. Wardle reported his discovery to Apple a few days ago that acknowledged the problem and likely is already working to address it.
Waiting for a fix, macOS users could install the GamePlan, the endpoint protection product designed by Digita Security, that prevents synthetic clicks.