Zero-day exploit in Mojave lets hackers copy your private data

Posted by & filed under Security Alerts.

Apple’s Mojave operating system has only been out for few days, and security researchers have already found an exploit that could allow hackers unfettered access to your private information. The flaw uses a hole in Apple’s implementation of a new security feature in macOS making it all the more ironic.

Apple just released the latest version of macOS — Mojave — to the public after testing it in beta since June. Cupertino thinks that the new operating system is ready for primetime, but security researcher Patrick Wardle says “Wait a minute. Not so fast.”

Wardle, who is a prolific spotter of flaws in Apple software, says that he discovered a zero-day exploit in macOS Mojave that would allow hackers access to the user’s address book (among other things) using an unprivileged app. He demonstrated the flaw in a one minute video on Vimeo (below).

Wardle announced that the security hole is ironically a byproduct of the Apple’s implementation of new privacy protections introduced in Mojave. The new measures require users to give permission for access to things like location data, the address book, message archives, and other private data and files. Wardle discovered a way to bypass that authorization.

“I found a trivial, albeit 100% reliable flaw in their implementation,” he said. The exploit allows an untrusted app to bypass security measures without authorization.

He says that the exploit does not work with all the privacy protection features in Mojave. For instance, hardware components are secure from this type of attack, but software-based applications such as Calendar are at risk.

Apple has been notified of the vulnerability and will undoubtedly address it in the first Mojave security patch. Meanwhile, Wardle will not be releasing details regarding the exploit until The Mac Security conference — Objective by the Sea — he has planned for November in Hawaii.

The flaw seems pretty low-risk as long as you are not running any sketchy apps. If that’s your case, you’re probably okay running Mojave. However, if you use a lot of third-party apps, you might want to hold off on Mojave until Apple gets it patched to be safe.

 

The information contained in this website is for general information purposes only. The information is gathered from TechSpot while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.
Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them.
Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.