Zero-day exploit in Mojave lets hackers copy your private data

Cal Jeffrey

TS Evangelist
Staff member

Apple just released the latest version of macOS — Mojave — to the public after testing it in beta since June. Cupertino thinks that the new operating system is ready for primetime, but security researcher Patrick Wardle says “Wait a minute. Not so fast.”

Wardle, who is a prolific spotter of flaws in Apple software, says that he discovered a zero-day exploit in macOS Mojave that would allow hackers access to the user’s address book (among other things) using an unprivileged app. He demonstrated the flaw in a one minute video on Vimeo (below).

Wardle told Bleeping Computer that the security hole is ironically a byproduct of the Apple’s implementation of new privacy protections introduced in Mojave. The new measures require users to give permission for access to things like location data, the address book, message archives, and other private data and files. Wardle discovered a way to bypass that authorization.

“I found a trivial, albeit 100% reliable flaw in their implementation,” he said. The exploit allows an untrusted app to bypass security measures without authorization.

He says that the exploit does not work with all the privacy protection features in Mojave. For instance, hardware components are secure from this type of attack, but software-based applications such as Calendar are at risk.

Apple has been notified of the vulnerability and will undoubtedly address it in the first Mojave security patch. Meanwhile, Wardle will not be releasing details regarding the exploit until The Mac Security conference — Objective by the Sea — he has planned for November in Hawaii.

The flaw seems pretty low-risk as long as you are not running any sketchy apps. If that’s your case, you’re probably okay running Mojave. However, if you use a lot of third-party apps, you might want to hold off on Mojave until Apple gets it patched to be safe.

Permalink to story.



TechSpot Paladin

But, according to the fanatics, Apple is the most reliable and secure in the history of ever! How can it have flaws or vulnerabilities? This may rock some worlds!


Seriously, glad somebody is out there running these things through the wringers early in the launch cycle. Hate to imagine the damage that could have been done if it had snuck through and been a gaping security hole for a while.