Bypass Flaw in Newly Released macOS Mojave Update Lets Hackers Access Protected Files

MacRumors

macrumors bot
Original poster
Apr 12, 2001
48,800
10,205



Researcher Patrick Wardle, who has uncovered many security flaws in Apple's macOS operating system, today shared some details on a new vulnerability that he's found in the newly released macOS Mojave update.

As outlined by BleepingComputer, Wardle discovered that he was able to access Contacts data from the address book using an unprivileged app, as demonstrated in the video below.


According to Wardle, the vulnerability is a result of the way that Apple implemented new macOS privacy protections in the Mojave update.
"I found a trivial, albeit 100% reliable flaw in their implementation," he told us, adding that it allows a malicious or untrusted app to bypass the new security mechanism and access the sensitive details without authorization.
The bypass does not work with all of the new privacy protection features in macOS Mojave, and hardware-based components, such as the webcam, are not affected. Full details on the vulnerability are not available yet, as Wardle plans to share technical details in November.

In the macOS Mojave update, Apple made a change that requires explicit user consent for apps to access location data, camera, contacts, calendars, reminders, messages history, Safari data, mail databases, and other sensitive data, which should prevent the vulnerability that Wardle demonstrates.


Apple will undoubtedly address the security flaw discovered by Wardle in an upcoming update to macOS Mojave.

Article Link: Bypass Flaw in Newly Released macOS Mojave Update Lets Hackers Access Protected Files
 

SecuritySteve

macrumors 6502a
Jul 6, 2017
834
971
California
As a security researcher professional, this is entirely inappropriate. He should have contacted Apple during the beta release cycle and gotten it fixed. If Apple needs more time to fix it, and is aware of the issue, then you keep the vulnerability under wraps so that other hackers do not exploit your vulnerability while it has no fix.

The only reason to publish a vulnerability with no fix is if the vendor WILL NOT FIX the vulnerability. I doubt that is the case here. This Wardle is seeking attention, and should be looked down upon.

See the guys listed here? These are the true professionals, they did it right.

https://support.apple.com/en-us/HT209139
 
Jul 4, 2015
4,488
2,548
Paris
As a security researcher professional, this is entirely inappropriate. He should have contacted Apple during the beta release cycle and gotten it fixed. If Apple needs more time to fix it, and is aware of the issue, then you keep the vulnerability under wraps so that other hackers do not exploit your vulnerability while it has no fix.

The only reason to publish a vulnerability with no fix is if the vendor WILL NOT FIX the vulnerability. I doubt that is the case here. This Wardle is seeking attention, and should be looked down upon.
The video shows beta 11 and the bug being reported.

Unless the whole video and hack are fake.
 
  • Like
Reactions: mrex and Marekul

keysofanxiety

macrumors G3
Nov 23, 2011
9,537
25,263
And that's why you never install a new major macOS version until at least a couple of months have passed
What, because security researchers withhold vulnerabilities they discovered in beta until it’s released to the public?

Edit: well looks like he did report it. Kinda just read the article and jumped the gun on that one. My bad.
 

rafark

macrumors 65816
Sep 1, 2017
1,052
1,565
Yeah they should have a beta program or something with a feedback app, then this would’ve been discovered months ago :rolleyes:
It's a very minor security issue and the idea that every single possible security flaw can be found and patched before a major software release is silly. Let's just hope that Apple patches it in a timely manner.
In software development there is this thing called testing. Small teams cannot test everything but for a company this size more exhaustive testing is expected.
 

springsup

macrumors 65816
Feb 14, 2013
1,114
827
If this guy has access to the various betas, this is a real chump move. The defect would have been present in at least the last beta, if not before.
Maybe he only discovered it recently. Nothing to suggest he has been sitting on it for months.

But he shouldn't release technical details unless Apple refuses to patch it. Even then, it's questionable.
 
  • Like
Reactions: MacsRuleOthersDrool
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.