Apple has only just launched macOS Mojave, but a security researcher has already found a vulnerability which allegedly could allow an attacker to leverage a malicious app in order to steal personal data such as contact details from your Mac computer.
Patrick Wardle, who is co-founder of Digita Security, found the zero-day bug which allows for bypassing the operating system’s privacy defenses, and highlighted it on Twitter complete with a video (without going into the details of how it works at this point, for obvious reasons – that can be done post-fix).
Mojave's 'dark mode' is gorgeous 🙌...but its promises about improved privacy protections? kinda #FakeNews 😥0day bypass:https://t.co/rRf8t7C7Zfbtw if anybody has a link to 🍎's macOS bug bounty program I'd 💕 to report this & other 0days -donating any payouts to charity 🙏September 24, 2018
The video clip shows Wardle attempting to access the address book on a Mojave system, and failing, before running a script simulating a malicious app, which subsequently allows for access to the address book, and copying the data therein.
The simplicity of this ‘privacy bypass’ is concerning, for sure, with no permissions required to carry out this personal data pilfering.
Presumably we’ll hear a response from Apple on this matter sooner rather than later, as macOS security is obviously a hot topic. As are the defenses of any major operating system, to be fair, but given the year Apple had in 2017 on the security front, with a bewildering bug found in macOS High Sierra, the company will certainly want its software to appear watertight.
For his part, as you can see in the tweet above, Wardle requests details of Apple’s bug bounty scheme for macOS, in order to report the flaw, and potentially bag a reward (which would go to charity, he clarifies).
As you may well have seen, macOS Mojave was unleashed on the world yesterday, and we’ve rounded up all the pertinent details on the refreshed OS here – including the promise of more rigid security.
Mojave also introduces a system-wide dark mode which Wardle praises in his tweet (note that dark mode has nothing to do with the exploit, as some Twitter denizens have inferred from the researcher’s post).
- We’ve chosen the best laptops of 2018
Via Digital Trends