A new security vulnerability has been discovered in the latest version of Apple’s macOS Mojave that could allow a malicious application to access data stored in restricted folders which are otherwise not accessible to every app.
Discovered by application developer Jeff Johnson on February 8, the vulnerability is unpatched at the time of writing and impacts all version of macOS Mojave, including macOS Mojave 10.14.3 Supplemental update released on February 7.
Certain folders in macOS Mojave have restricted access that is forbidden by default, like ~/Library/Safari, which can be accessed by only a few applications, such as Finder.
However, Johnson discovered a way to bypass these restrictions in Mojave, allowing applications to access ~/Library/Safari without needing any permission from the user or the system, and read users’ web browsing history.
“My bypass works with the ‘hardened runtime’ enabled,” Johnson said in a blog post published last week.
“Thus, an app with the ability to spy on Safari could be ‘notarized’ by Apple (as long as it passed their automated malware checks, which I suspect would be no problem). My bypass does not work with sandboxed apps, as far as I can tell.”
Since the vulnerability has already been reported to Apple and would not get a patch until at least the next official release of Mojave, Johnson has decided not to release technical details until the flaw is resolved.
Johnson also clarified that the privacy protection bypass he discovered has nothing at all to do with Safari extensions, as the issue impacts restricted folders and so could potentially impact all restricted folders on the macOS system, including ~/Library/Safari.
Since the issue resides in the new privacy protection feature introduced by Apple in macOS Mojave 10.14, Apple users running High Sierra on their Mac computers are not impacted by the vulnerability.
We will update this article as soon as we hear more from the researcher about the vulnerability. Stay Tuned!
- macOS 0-Day Flaw Lets Hackers Bypass Security Features With Synthetic Clicks
- Sudo Flaw Lets Linux Users Run Commands As Root Even When They’re Restricted
- Apple Under Fire Over Sending Some Users Browsing Data to China’s Tencent
- Latest iOS 12.1.4 Update Patches 2 Zero-Day and FaceTime Bugs
- New Google Chrome Zero-Day Vulnerability Found Actively Exploited in the Wild