To exploit the vulnerability, attackers need physical access to the computer, as well as installing a malicious application
Network security and ethical hacking specialists
from the International Institute of Cyber Security report the emergence of a
new vulnerability in a developer API that allows a malicious app installed on
the Mojave MacOS to access a protected folder from which an attacker could extract
the Safari
browsing history data.
The vulnerability affects all known versions of
MacOS Mojave and was reported to Apple in recent days by network
security specialist Jeff Johnson.
“Some Mojave folders have restricted access”,
the expert mentioned. Johnson says that by default, Mojave provides access to
this folder only for some system applications, such as Finder. “However, there
is a way to dodge these Mojave protections and allow some apps to access these
folders without the need for user or system permissions. A malicious
application could compromise the user’s privacy by extracting its browsing
history”.
The network security expert only mentioned that
the vulnerability is an API developer flaw; although he decided not to disclose
further details, he claims that the vulnerability has not yet been corrected.
The expert added that Apple has already been informed of the situation.
So far, there are no known risk mitigation
methods, although the vulnerability is exploitable only by using a malicious
application executed in the system. “There is No form of remote
exploitation,” the expert mentions.
Although the expert refuses to share more
details, he stresses that the vulnerability has nothing to do with a similar
exploit revealed last week through Twitter by cybersecurity specialist Bob
Rudis.
