Bypass Flaw in Newly Released macOS Mojave Update Lets Hackers Access Protected Files

Discussion in 'MacRumors.com News Discussion' started by MacRumors, Sep 24, 2018.

  1. MacRumors macrumors bot

    MacRumors

    Joined:
    Apr 12, 2001
    #1
    [​IMG]


    Researcher Patrick Wardle, who has uncovered many security flaws in Apple's macOS operating system, today shared some details on a new vulnerability that he's found in the newly released macOS Mojave update.

    As outlined by BleepingComputer, Wardle discovered that he was able to access Contacts data from the address book using an unprivileged app, as demonstrated in the video below.


    According to Wardle, the vulnerability is a result of the way that Apple implemented new macOS privacy protections in the Mojave update.
    The bypass does not work with all of the new privacy protection features in macOS Mojave, and hardware-based components, such as the webcam, are not affected. Full details on the vulnerability are not available yet, as Wardle plans to share technical details in November.

    In the macOS Mojave update, Apple made a change that requires explicit user consent for apps to access location data, camera, contacts, calendars, reminders, messages history, Safari data, mail databases, and other sensitive data, which should prevent the vulnerability that Wardle demonstrates.

    [​IMG]

    Apple will undoubtedly address the security flaw discovered by Wardle in an upcoming update to macOS Mojave.

    Article Link: Bypass Flaw in Newly Released macOS Mojave Update Lets Hackers Access Protected Files
     
  2. fokmik macrumors 68030

    Joined:
    Oct 28, 2016
    Location:
    USA
    #2
    why come forward today and not earlier that Apple can fix this before Mojave release ? i wonder...
     
  3. keysofanxiety macrumors G3

    keysofanxiety

    Joined:
    Nov 23, 2011
    #3
    Couldn’t he have shared this a day before it was released? Feel like a bit of a doughnut now that I’m half way through the update :(
     
  4. rafark macrumors 6502a

    rafark

    Joined:
    Sep 1, 2017
    #4
    Why dont they do proper testing? A bit embarrassing for a trillion dollar company.
     
  5. Enclavean macrumors member

    Enclavean

    Joined:
    Jun 14, 2018
  6. dannyyankou macrumors 604

    dannyyankou

    Joined:
    Mar 2, 2012
    Location:
    Scarsdale, NY
    #6
    It requires the Mac to be unlocked in the first place, so this isn’t the worst security flaw in the world.
     
  7. stu.h macrumors 65816

    stu.h

    Joined:
    May 8, 2010
    Location:
    West Midlands, England.
    #7
    I've barely started the upgrade and saw this pop up in notifications!
     
  8. dazz87 macrumors 65816

    Joined:
    Sep 24, 2007
    #8
    ON the day its being release...........LOL
     
  9. dannyyankou macrumors 604

    dannyyankou

    Joined:
    Mar 2, 2012
    Location:
    Scarsdale, NY
    #9
    Yeah they should have a beta program or something with a feedback app, then this would’ve been discovered months ago :rolleyes:
     
  10. MacDawg macrumors Core

    MacDawg

    Joined:
    Mar 20, 2004
    Location:
    "Between the Hedges"
    #10
    Oh goodie, now we can have all of the usual suspects flock here to take a **** on Apple
     
  11. SecuritySteve macrumors 6502

    SecuritySteve

    Joined:
    Jul 6, 2017
    Location:
    California
    #11
    As a security researcher professional, this is entirely inappropriate. He should have contacted Apple during the beta release cycle and gotten it fixed. If Apple needs more time to fix it, and is aware of the issue, then you keep the vulnerability under wraps so that other hackers do not exploit your vulnerability while it has no fix.

    The only reason to publish a vulnerability with no fix is if the vendor WILL NOT FIX the vulnerability. I doubt that is the case here. This Wardle is seeking attention, and should be looked down upon.

    See the guys listed here? These are the true professionals, they did it right.

    https://support.apple.com/en-us/HT209139
     
  12. benshive macrumors member

    Joined:
    Feb 26, 2017
    Location:
    United States
    #12
    It's a very minor security issue and the idea that every single possible security flaw can be found and patched before a major software release is silly. Let's just hope that Apple patches it in a timely manner.
     
  13. 128KMac macrumors member

    128KMac

    Joined:
    Jan 6, 2004
    #13
    If this guy has access to the various betas, this is a real chump move. The defect would have been present in at least the last beta, if not before.
     
  14. SoyCapitanSoyCapitan macrumors 601

    SoyCapitanSoyCapitan

    Joined:
    Jul 4, 2015
    Location:
    SELL $BTC
  15. pier macrumors 6502a

    pier

    Joined:
    Feb 7, 2009
    #15
    And that's why you never install a new major macOS version until at least a couple of months have passed
     
  16. Rudy69 macrumors 6502a

    Rudy69

    Joined:
    Mar 30, 2009
    #16
    You're not any more vulnerable than you would using 10.13
     
  17. SoyCapitanSoyCapitan macrumors 601

    SoyCapitanSoyCapitan

    Joined:
    Jul 4, 2015
    Location:
    SELL $BTC
    #17
    The video shows beta 11 and the bug being reported.

    Unless the whole video and hack are fake.
     
  18. keysofanxiety macrumors G3

    keysofanxiety

    Joined:
    Nov 23, 2011
    #18
    What, because security researchers withhold vulnerabilities they discovered in beta until it’s released to the public?

    Edit: well looks like he did report it. Kinda just read the article and jumped the gun on that one. My bad.
     
  19. rafark macrumors 6502a

    rafark

    Joined:
    Sep 1, 2017
    #19
    In software development there is this thing called testing. Small teams cannot test everything but for a company this size more exhaustive testing is expected.
     
  20. Zachari macrumors regular

    Zachari

    Joined:
    Feb 8, 2012
    Location:
    Washington, DC
    #20
    That's what we call the beta stage of software. They do. Things slip though.
     
  21. springsup macrumors 65816

    springsup

    Joined:
    Feb 14, 2013
    #21
    Maybe he only discovered it recently. Nothing to suggest he has been sitting on it for months.

    But he shouldn't release technical details unless Apple refuses to patch it. Even then, it's questionable.
     
  22. maflynn Moderator

    maflynn

    Staff Member

    Joined:
    May 3, 2009
    Location:
    Boston
    #22
    I'm glad I opted to not update and I'll stick with HS for a little while longer
     
  23. kazmac macrumors 603

    kazmac

    Joined:
    Mar 24, 2010
    Location:
    On the silver scream
    #23
    *Sighs* Maybe I’ll keep this iMac on Sierra for awhile longer.
     
  24. chrono1081 macrumors 604

    chrono1081

    Joined:
    Jan 26, 2008
    Location:
    Isla Nublar
    #24
    This is not how things work. You can test till your blue in the face and someone will always find some kind of strange flaw/quirk.

    This is why major companies, Apple included, offer bug bounty programs.
     
  25. jwm macrumors 6502

    jwm

    Joined:
    Nov 18, 2010
    Location:
    Hertfordshire, United Kingdom
    #25
    Better publicity probably. Unfortunate if it was intentional.
     

Share This Page