IT security audit specialists discovered a flaw that exploits a security feature in the macOS system used to prevent malicious applications from accessing the camera, microphone, or personal data without the user’s explicit consent.
The user’s privacy protection mechanisms in the
macOS Mojave prevent applications installed from unofficial sources from being
able to access information such as user contacts, location details, messages,
among others, unless the user approve the action by clicking a pop-up box. “Privacy
protection is the main reason why people choose Apple,”
the company’s executives mentioned in announcing the launch of these protection
measures.
However, it is possible to bypass this
protection. The popup window where the system requests user approval can be deceived
by using “artificial clicks”, made by a malicious actor outside the
user’s device.
As the IT security audit specialists previously
reported, it was possible to generate these artificial clicks using a tool
preinstalled in macOS called AppleScript, or with the numeric keys of the
keyboard. To prevent these features from being exploited by malicious users
using malware, Apple decided to block any artificial click, which requires
users to physically click the box to approve an action.
Patrick Warder, a former NSA employee and head
of research at the IT security audit firm Digita Security, describes the method
he discovered to bypass these protections in a relatively simple way. The expert mentions that the flaw exists due
to a white list of macOS applications with special permission to generate
artificial clicks to prevent them from collapsing.
The applications are signed with a digital
certificate that proves that it is a genuine development and has not been maliciously
manipulated. If it has been modified in any way, the certificate shows an error
and the operating system stops the implementation of the app. Because of this
flaw, macOS only verifies the existence of the certificate, not the
authenticity of the application, omitting the app’s manipulation verification.
“The system does not check the integrity
of the software, so a manipulated version of an app included in the Apple white
list could be exploited to perform artificial clicks”, adds the
specialist.
The expert claims that this vulnerability is a
second stage of attack, as it is necessary for an attacker to have physical
access to the compromised device. According to specialists from the
International Institute of Cyber Security (IICS), Apple has already been
notified of this vulnerability, although the company has not made any comments
about it.
