Apple's MacOS Mojave, released to users around the world on Monday, contains an improper implementation of security protections that may expose personal user data, a security researcher said.
Outlined by Patrick Wardle of Digita Security, the apparent error causes a non-privileged app to bypass built-in permissions at system level and limited user information of certain apps. Wardle has uncovered a number of Apple-related security issues, the latest of which is the exfiltration of sensitive user data through the popular Mac App Store app, Adware Doctor.
Apple has introduced a comprehensive suite of macOS security features at its Worldwide Developers Conference this June, where users have explicit permission to use certain apps and hardware. In particular, users must allow permission to access the camera, microphone, e-mailhite, messages, Safari, Time Machine and iTunes backups, locations, routines and system cookies when running macOS Mojave.
Uploaded in a short video to TwitterWardle demonstrates a bypass for at least one of these protections.
The short demonstration shows a first failed attempt to open and copy contacts via Terminal, an expected result under Apple's security measures. Wardle then runs an unauthorized app, aptly called "breakMojave," to find and open Mac's address book.
With secure access, Wardle can run a list command to view all files in the private folder, including metadata and images.
Speak with TechCrunchWardle said the exploit is "not a universal bypass" of the extended authorization function, but noted that the procedure can be used to access protected data when a user is logged on to macOS. As such, it is unlikely that the error will be a major problem for most users, but may be difficult in certain situations.
The security researcher keeps details of the bug private to protect the general public, but said he was broadcasting the bypass to draw attention to Apple's lack of bugbounty for Mac. Indeed, a cheeky line in Wardle's scripts, "Submit report to firstname.lastname@example.org … ERROR: macOS bug bounty program not found: /"
Apple is currently running an iOS bug bounty program, launched in 2016, that pays up to $ 200,000 for bugs related to secure boot firmware components, although the company needs to launch a similar incentives initiative for Mac.
Now that the bug is fixed, Apple will undoubtedly inquire about the details and publish a patch in an upcoming update.