Home / News & Analysis / Security researcher claims macOS Mojave privacy bug on launch day

Security researcher claims macOS Mojave privacy bug on launch day

A security researcher has claimed a new vulnerability in the latest version of macOS — just hours before the software is due to be released.

Patrick Wardle, chief researcher officer at Digita Security, tweeted a video Monday of an apparent privacy feature bypass that’s designed to prevent apps from improperly accessing a user’s personal data.

For years, Macs have forced apps to ask for permission before accessing your contacts and calendar after some iOS apps were caught uploading private data. Apple said at its annual developer conference this year that it would expand the feature to include apps asking for permission to access the camera, microphone, email and backups.

Wardle told TechCrunch that his findings are “not a universal bypass” of the feature, but that the bug could allow a malicious app to grab certain protected data, such as a user’s contacts, when a user is logged in.

Mojave's 'dark mode' is gorgeous 🙌
…but its promises about improved privacy protections? kinda #FakeNews 😥

0day bypass:https://t.co/rRf8t7C7Zf

btw if anybody has a link to 🍎's macOS bug bounty program I'd 💕 to report this & other 0days -donating any payouts to charity 🙏

— patrick wardle (@patrickwardle) September 24, 2018

The video shows the operating system initially rejecting access to his stored contacts, but later copying his entire address book to the desktop after running an unprivileged script simulating a malicious app.

Wardle isn’t releasing specifics of the bug yet, he said, because he doesn’t want to put users at risk, but dropped the video out of frustration at the company’s lack of bug bounty, which he said disincentives security researchers from reporting bugs to the company.

“Other operating system vendors have acknowledged that any software is going to have vulnerabilities,” but that Apple is “sticking its head in the sand.”

Apple was one of the last major companies to roll out a bug bounty program — giving security researchers money in exchange for responsibly disclosed vulnerabilities. Apple began offering cash bounties of up to $200,000 for the most severe iOS bugs. But the company has neglected to port the program over to macOS, for reasons unknown.

“Unfortunately until there’s a reason for Apple to change its approach to security, it’s not going to,” he said. “Generally, companies don’t change something until they realize it’s broken.”

We reached out to Apple for comment and will update if we hear back.

It’s the second time Wardle released details of a serious vulnerability in macOS on launch day — the most recent case was almost exactly a year ago at the launch of macOS High Sierra.

Wardle is expected to talk more of the technical details of the Mojave bug at the Objective-by-the-Sea conference in November, he said.

Apple will release macOS Mojave later on Monday.

The best security and privacy features in iOS 12 and macOS Mojave

Check Also

Facebook carried ads from mysterious pro-Brexit group for months

While Facebook might be making strides in clamping down on fake news and shady political ads, there appear to have been holes in its strategy. The UK's Digital, Culture, Media and Sport committee has published data showing that Facebook carried ads...

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Disclaimer: Trading in bitcoins or other digital currencies carries a high level of risk and can result in the total loss of the invested capital. theonlinetech.org does not provide investment advice, but only reflects its own opinion. Please ensure that if you trade or invest in bitcoins or other digital currencies (for example, investing in cloud mining services) you fully understand the risks involved! Please also note that some external links are affiliate links.