A macOS privacy protection bypass flaw could allow potential attackers to access data stored in restricted folders on all macOS Mojave release up to the 10.14.3 Supplemental Update released on February 7.
The privacy flaw was discovered by Mac and iOS developer Jeff Johnson on February 8, who received an automated bug report response after emailing a bug report to Apple Product Security on Saturday morning; an official response has not been issued before this article’s publication.
Mojave provides special access to this folder for only a few apps, such as Finder. However, I’ve discovered a way to bypass these protections in Mojave and allow apps to look inside ~/Library/Safari without acquiring any permission from the system or from the user. There are no permission dialogs, It Just Works.™ In this way, a malware app could secretly violate a user’s privacy by examining their web browsing history.
A specially crafted application designed to take advantage of this macOS issue would allow an attacker to snoop on the contents of a potential victim’s browsing history.
It’s important to mention that this privacy protection bypass is not exploitable using malicious sandboxed applications, but only with non-sandboxed or notarized ones, even though Mojave’s privacy protections are designed to apply regardless of sandboxing.
In an interview with BleepingComputer, the developer told us that “I discovered the bug while I was working on my own app. I was using a particular API, which I won’t name, and it occurred to me that I could use that API to read restricted folders. So the bypass is nothing complex, it just requires Mac developer knowledge.”
While one can also access restricted folders on a Mac by SSH-ing into localhost to list the folder (as detailed in a tweet by boB Rudis), Johnson told BleepingComputer that the flaw he found is based on another method: “I’ve heard about that bypass before, but I thought it was fixed in a previous Mojave update. I never checked that one personally though.”
Holy cow, folks, I just found another Mojave privacy protections bypass! On a fully updated system including 10.14.3 Supplemental Update.
What should I do with this one…
— Jeff Johnson (@lapcatsoftware) February 9, 2019
Johnson also said that the privacy protection issue he discovered is “not as broad as the SSH bypass, it’s not an absolute free-for-all access, there are some limitations to it.”
Moreover, while “the SSH bypass can be stopped by disabling Remote Login in System Preferences,” the bypass flaw uncovered by Johnson can’t be stopped that way.
When asked if the flaw he spotted affects all restricted folders on the system, he told us that “The one privacy violation that I specifically found was the ability to read Safari browsing history. I didn’t specifically find others, but it’s possible that there are other ways to violate the user’s privacy using this technique.”
Other flaws in macOS Mojave
This is not the first time the developer discovered a privacy protection bypass flaw in Apple’s macOS Mojave. On September 26 he unearthed another one which he eventually disclosed in November, after the release of macOS 10.14.1, that it was related to the Automator app.
More specifically, the command line version of Automator located at /usr/bin/automator could have been used to bypass the privacy protection in the Contacts app and copying its contents to a custom folder.
In that post, he also mentioned privacy issues present in the implementation of the /usr/bin/tccutil tool, as well as the possibility to piggyback other apps who have been previously granted access by the user to access sensitive data or locations.
The Automator issue was fixed by Apple with the release of macOS Mojave 10.14.3 Supplemental Update on February 7, but the other two are still unpatched. Also, Jeff Johnson is still waiting for credit from Apple for his contributions.
Last week, security researcher Linus Henze also demoed a zero-day exploit affecting the macOS Keychain password management system that can store passwords for applications, servers, and websites, as well as sensitive information related to banking accounts.
After publishing the exploit demo video on YouTube and sharing it on Twitter, Henze said that “I won’t release this. The reason is simple: Apple still has no bug bounty program (for macOS), so blame them. [..] Maybe this forces Apple to open a bug bounty program at some time.”
February 11 2019 18:49 Update: Article updated post-publication to correctly state that the SSH to localhost, the /usr/bin/tccutil tool, and the piggyback issues are still present in the latest version of macOS.