Why it matters: Apple's Mojave operating system has only been out for mere hours, and security researchers have already found an exploit that could allow hackers unfettered access to your private information. The flaw uses a hole in Apple's implementation of a new security feature in macOS making it all the more ironic.
Apple just released the latest version of macOS — Mojave — to the public after testing it in beta since June. Cupertino thinks that the new operating system is ready for primetime, but security researcher Patrick Wardle says “Wait a minute. Not so fast.”
Wardle, who is a prolific spotter of flaws in Apple software, says that he discovered a zero-day exploit in macOS Mojave that would allow hackers access to the user’s address book (among other things) using an unprivileged app. He demonstrated the flaw in a one minute video on Vimeo (below).
Wardle told Bleeping Computer that the security hole is ironically a byproduct of the Apple’s implementation of new privacy protections introduced in Mojave. The new measures require users to give permission for access to things like location data, the address book, message archives, and other private data and files. Wardle discovered a way to bypass that authorization.
“I found a trivial, albeit 100% reliable flaw in their implementation,” he said. The exploit allows an untrusted app to bypass security measures without authorization.
He says that the exploit does not work with all the privacy protection features in Mojave. For instance, hardware components are secure from this type of attack, but software-based applications such as Calendar are at risk.
Apple has been notified of the vulnerability and will undoubtedly address it in the first Mojave security patch. Meanwhile, Wardle will not be releasing details regarding the exploit until The Mac Security conference — Objective by the Sea — he has planned for November in Hawaii.
The flaw seems pretty low-risk as long as you are not running any sketchy apps. If that’s your case, you’re probably okay running Mojave. However, if you use a lot of third-party apps, you might want to hold off on Mojave until Apple gets it patched to be safe.