Privacy Bypass Flaw in macOS Mojave Allows Access to Sensitive User Data
Security researcher Patrick Wardle has just shared a minute-long video clip showing a major flaw in Apple’s latest privacy protection implementations in macOS Mojave bypassing which allows access to protected files and other sensitive user data, including address book information (via BleepingComputer).
Wardle was able to access the confidential user contacts via an unprivileged app, meaning that it did not run with administrator permissions.
“I found a trivial, albeit 100% reliable flaw in their implementation,” he said while adding that it allows a malicious or untrusted app to bypass the new security mechanism and access the sensitive details without authorization.
Wardle also said that the bypass however does not work with all of Mojave’s new privacy protection features and also does not affect hardware-based components like the webcam.
The researcher said that he’s holding the technical details until his upcoming Mac Security conference that he’s organizing in Maui, Hawaii, in November. In the demo video below, Wardle tries to copy the contents of the address book and denies the operation when the operating system asks for permission.
He then runs an unprivileged app that allows him to copy the address book data to the desktop and provides access to the few entries he added for demo purposes.
Apple has not yet issued any comment regarding the matter. In the meantime, check out the video embedded below and share your thoughts in the comments section.