Ever since Apple announced enhanced privacy protection for macOS Mojave 10.14 last September, a dedicated band of researchers has been poking away at it looking for security flaws.
Embarrassingly for Apple, it’s not proved a tough challenge with the first turning up on launch day when one researcher reported a surprising bypass of privacy protection using an ordinary app (i.e. no admin permission) to access the address book.
Accessed via System Preferences > Security & Privacy > Privacy, other reported bypasses followed soon after, all apparently addressed by updates to Mojave.
Last week, just when it looked as if Apple might have got on top of the issue, StopTheMadness browser extension developer Jeff Johnson announced a new issue affecting all versions of Mojave including the 10.14.3 supplemental update released only days earlier.
According to Johnson, he discovered a way to access ~/Library/Safari without asking the system or user for permission – a directory that should only be accessible via privileged apps such as the macOS Finder.
There are no permission dialogs, it Just Works™. In this way, a malware app could secretly violate a user’s privacy by examining their web browsing history.
The only caveat was that the bypass doesn’t work for sandboxed apps and applied to those running outside that as “notarised” apps (i.e. those signed by a Developer ID that have passed Apple’s automated malware checks).
In a subsequent interview with Bleeping Computer, Johnson said he’d stumbled on the issue while working on his own Safari extension through an unspecified API:
So the bypass is nothing complex, it just requires Mac developer knowledge.
Just not iOS
Apple’s problem getting this feature to work is that it is trying to juggle two pressures that on iOS look easy by comparison – channelling apps’ access to sensitive folders (including Mail, Messages, Cookies, and Suggestions) through a consent layer without that becoming a chore.
It must also avoid causing problems for older apps built for a time when software’s right to access the information it wanted was taken for granted.
Is Apple closer to solving these niggles? The problem is the issue keeps getting bigger every time it’s looked at.
For instance, it appears to be common knowledge that privacy protection is powerless to stop someone bypassing it using Secure Shell to localhost (with remote login enabled).
Or perhaps using a ‘denial-of-patience’ attack in which a malevolent app continuously invokes tccutil to reset privacy settings until the user gives up in a hail of consent dialogues.
Johnson said he’d reported his discovery to Apple, which means that a future Mojave update should fix the bypass.
It’s already got its hands full fixing other security issues such as the KeySteal flaw that might allow an attacker to access passwords in the KeyChain password manager.