A security researcher disclosed a new flaw that undermines a core macOS security feature designed to prevent apps — or malware — from accessing a user’s private data, webcam or microphone without their explicit permission.
Last June, Apple introduced a core security feature in MacOS that made it mandatory for all applications to take permission (“allow” or “deny”) from users before accessing sensitive data or components on the system, including the device camera or microphone, location data, messages, and browsing history.
But the protections weren’t very good. Those ‘allow’ boxes can be subverted with a maliciously manufactured click.
It was previously possible to create artificial or “synthetic” clicks by using macOS’ in-built automation feature AppleScript. For those unaware, ‘Synthetic Clicks’ are programmatic and invisible mouse clicks that are generated by a software program rather than a human.
But Patrick Wardle, a former NSA hacker who’s now chief research officer at Digita Security, said he’s found another way to bypass these protections with relative ease.
Though Apple patched that issue after few weeks from the public disclosure, Wardle has once again publicly demonstrated a new way around that could allow apps to perform ‘Synthetic Clicks‘ to access users’ private data without their explicit permission.
Typically apps are signed with a digital certificate to prove that the app is genuine and hasn’t been tampered with. If the app has been modified to include malware, the certificate usually flags an error and the operating system won’t run the app. But a bug in Apple’s code meant that that macOS was only checking if a certificate exists and wasn’t properly verifying the authenticity of the whitelisted app.
“The only thing Apple is doing is validating that the application is signed by who they think it is,” he said. Because macOS wasn’t checking to see if the application had been modified or manipulated, a manipulated version of a whitelisted app could be exploited to trigger a synthetic click.
“System attempts to verify/validate at these allowed whitelisted apps haven’t been subverted—but their check is flawed, meaning, an attacker can subvert any of these, and add/inject code to perform arbitrary synthetic clicks—for example to interact with security/privacy alerts in Mojave to access user’s location, the microphone, webcam, photos, SMS/call records,” Wardle told Hack Hex
While demonstrating the zero-day vulnerability at Objective By the Sea conference in Monte Carlo, Wardle abused VLC Player, one of the Apple’s approved apps, to include his malware as an unsigned plugin and perform synthetic clicks on a consent prompt programmatically without actually requiring any user’s interaction.
Wardle refers to the new synthetic click vulnerability as a “2nd stage attack,” meaning an attacker would need to have remote access to a victim’s macOS computer already or have installed a malicious application.
Wardle reported his findings to Apple last week and the company confirmed receiving his report, but did not clear when it is planning to patch the issue.