- The vulnerability could allow attackers the ability to access a Mac user’s address book.
- The flaw does not compromise or affect all MacOS privacy features.
Apple’s latest MacOS version - Mojave - contains a zero-day vulnerability. The flaw exists in Mojave’s privacy protection implementation process and is capable of allowing attackers the ability access users’ personal data.
The flaw was discovered by the notable Apple researchers Patrick Wardle, who has also created multiple free security tools for Mac. In a minute-long video, Wardle explained how the flaw can be exploited to allow attackers the ability to access a Mac user’s address book. However, the flaw does not compromise or affect all MacOS privacy features.
Wardle disclosed the vulnerability on the same day that Apple released Mojave’s beta version to the public.The researcher also described the vulnerability as a “trivial, albeit 100 percent reliable flaw in their implementation,” ZDNet reported.
“Mojave’s dark is gorgeous..but its promises about improved privacy protections? Kinda #FakeNews,” Wardle posted on Twitter.
About the vulnerability
In the demonstration video, Wardle attempts to copy the contents of the Mac address book but is unable to do so, since the Mac system as it asks for permissions. However, when he tries again using an unprivileged app, Wardle succeeds in copying the address book data to the desktop. The vulnerability also provides access to few other dummy entries that Wardle manually added for demo purposes.
Wardle told Bleeping Computer that he was able to access confidential user data using an unprivileged app. In other words, it did not run the application with administrator permissions. He also added that the vulnerability exists because of the way Apple implements protections for various privacy-related information.
Apple unresponsive to flaw disclosure
Wardle is reportedly holding on to the technical details of the vulnerability until the upcoming Mac Security Conference , which he’s organizing in Hawaii, in November this year. Moreover, releasing a public proof-of-concept could result in attackers getting a hold of a new and function attack technique, which in turn could allow cybercriminals to exploit the bug.
Wardle said on Twitter. that he attempted to contact the iPad and iPhone maker’s security team but was not successful in doing so. Wardle has previously discovered multiple security bugs in Apple MacOS. The latest flaw he discovered allowed the existence of synthetic events, which could be used to compromise the full operating system.