macOS Mojave Privacy Feature Bypass Bug Revealed

Security researcher Patrick Wardle has disclosed a new security vulnerability in the latest version of macOS, Mojave, hours before the version was released. The researcher showed the privacy feature bypass in a video shared on Twitter. The original purpose of the privacy feature is to prevent apps from improperly accessing the user’s personal data.

In a conversation with TechCrunch, the researcher said that the vulnerability is not a universal bypass of the feature but it could still allow a malicious app to access protected user data, whenever the user is logged in. It should be noted that Apple forced apps for permission prior to accessing users’ contacts and calendar after some iOS apps were caught uploading sensitive user data. So, the company expanded the privacy feature to include apps asking for permission to access the device’s camera, microphone, email and backups, TechCrunch explained.

What Did Wardle’s Video Reveal?

In the video, the researcher shows how macOS at first is rejecting access to his stored contacts. However, after running an unprivileged script that mimicked a malicious app, the system copied all of his contacts to the desktop.
Out of concern for users’ security, the researcher hasn’t released further details about the vulnerability.

Nonetheless, he decided to release his video simply because he feels that Apple’s lack of a bug bounty program is a real obstacle for researcher to report security issues. In Wardle’s own words, other OS vendors have acknowledged that no software is safe from vulnerability but Apple is “sticking its head in the sand”.

To be more precise, Apple dis start a bug bounty program about 2 years ago but it was only meant for iOS bugs. On the other hand, Apple has been continuously disregarding the initiation of a bug bounty program for macOS, without (Read more...)

*** This is a Security Bloggers Network syndicated blog from How to, Technology and PC Security Forum | authored by Milena Dimitrova. Read the original post at: