A security bug in macOS allows malicious apps installed on macOS to steal Safari browsing history

• A bug in a developer API allows malicious apps installed on macOS Mojave to infiltrate Safari browsing history data.
• This security flaw affects all known macOS Mojave versions.

Jeff Johnson, the developer of the Underpass Mac and iOS app uncovered a security bug in macOS that allows malicious apps installed on macOS Mojave to steal Safari browsing history data. The developer noted that the bug affects all known macOS Mojave versions.

Johnson explained in a blog that the bug allows malicious apps to gain access to a normally protected folder in macOS Mojave device from where attackers can steal Safari browsing data.

Snooping Safari browser history

The Mac developer noted that in macOS Mojave, certain folders have restricted access that is forbidden by default. “For example, ~/Library/Safari. In [the] Terminal app, you can't even list the contents of that folder,” Johnson said. However, Mojave provides special access to this folder for only a few apps such as Finder.

Johnson disclosed that he uncovered a method to bypass these restrictions in Mojave and allow apps to infiltrate~/Library/Safari without any permission from the system or from the user.

“There are no permission dialogs, It Just Works. In this way, a malware app could secretly violate a user's privacy by examining their web browsing history,” Johnson explained in a blog.

Bug in a developer API

Johnson described the source of the bug as a ‘bug in a developer API’. The developer has reported the bug to Apple's security team and the team has acknowledged his report.

“They said they looked at my report and are investigating. This is a standard reply. They usually don't provide any updates once you report an issue to them, so I'm not expecting any more communication from them until they fix it,” Johnson told ZDNet.

“There are no mitigations that I know of. But it's only exploitable by a malicious app running on your system. There is no remote exploit,” Johnson added.