Zero-Day Vulnerability Exposes macOS to Synthetic Mouse-Click Attacks

Malware can bypass protections in macOS Mojave, and potentially access user data as well as the webcam and mic by exploiting a hole in Apple’s legacy app support.

According to a new report from ZDNet, Digita Security chief research officer Patrick Wardle explained during a presentation at the Objective By the Sea conference in Monte Carlo this month how malicious software could manipulate code run by an older installed application to bypass safeguards Apple has put on user data and sensitive components such as the camera and microphone.

The exploit relies on several tricks. One is macOS’ susceptibility to “synthetic clicks,” an attack that lets an app automatically click on dialog boxes like a human would, agreeing to the installation of software, granting permissions, or opening additional apps, such as Terminal. Another is an “undocumented whitelisting feature” of macOS that quietly creates a list of apps that are allowed to use synthetic clicks.

“Synthetic mouse clicks give an attacker an incredibly powerful capability,” he said. “In Mojave, Apple released a myriad of new privacy and security features that will block suspicious activity and display a pop-up requiring the user to allow an action. The goal of my research was to bypass all those new security and privacy mechanisms.”

The attack ultimately allows for an attacker to trigger synthetic mouse clicks on Mojave that, unknown to the user, approve malicious behaviors such as turning on a targeted system’s microphone or disclosing the GPS coordinates of a user’s computer.

“In Mojave, Apple has added a number of security provisions to prevent users from installing malicious apps and preventing installed apps from risky behavior,” he said. “Mostly, Apple does this by prompting a user with a dialogue box either granting or denying permission.”

Wardle has identified several vulnerabilities in macOS that allow synthetic clicks, including one disclosed last year at DefCon. Apple has been patching the weaknesses, but Wardle says the patches are often incomplete and he believes “Apple has struggled to prevent synthetic click attacks.”

Wardle said that he reported his findings to Apple roughly one week ago and the company confirmed receiving his report. However, it’s unclear what action the company plans on taking.