One of the cool (but somewhat unknown to non-developers) features in Mac OS X is the ability to load bundle code into arbitrary applications using the InputManagers directory. ...
The ability to make such modifications without any user notification (and modifying a users InputManagers directory is available to any process running as the user), has been previously put forth as a security problem with Mac OS X. ...
For example, I wrote a proof-of-concept malicious bundle called mailHack that loads within the Mail.app application and swizzles the [MessageEditor send:] function. The hacked version of the function calls [self addFileWrappersForPaths:myFilePath], where myFilePath points to its own file path. This adds itself as an attachment to any email sent through the Mail.app application. There is no user notification whatsoever, except the user might notice their email takes slightly longer to send than usual. ...
I also wrote a second proof-of-concept bundle called iChatHack that patches numerous functions within iChat. By patching the [BuddyList personStatusChanged:] function, I was able to run my code anytime someones status changed. The bundle uses the [FileSender _sendFile] function to send itself every person who is already online or later comes online. By patching three FileProgress functions, I was able to perform the operation without notifying the user that the file transfer is taking place. ...
Of course, the bundle code could also perform other tasks that the virus-writer wanted. For example, a spyware virus could patch a function in Safari to obtain login and password information, or credit card numbers, at each site visited, then tuck it away in its convenient SQLite database to await the owners request. Even SSL-protected sites would be vulnerable to such an attack, because the bundle attacks the browser before the data has been encoded.
...
