An environment touted as being protected apparently is not truly protected.
That is because there is a vulnerability that undermines a core macOS security feature designed to prevent apps from accessing a user’s private data, webcam or microphone without their explicit permission.
The privacy protections, expanded in macOS Mojave, were meant to make it more difficult for malicious apps to get access to a user’s private information unless the user clicks ‘allow’ on a popup box.
The protections are also meant to prevent apps from switching on a Mac’s webcam and microphone without consent.
But the protections don’t protect.
Those ‘allow’ boxes can be subverted with a maliciously manufactured click, a researcher disclosed.
It was previously possible to create artificial or “synthetic” clicks by using macOS’ built in automation feature AppleScript, or by using mouse keys, which let users control the mouse cursor using the numeric pad on the keyboard.
After fixing these bugs in previous macOS versions, Apple’s current defense is to block all synthetic clicks, requiring the user to physically click on a button.
But Patrick Wardle, a former NSA hacker who’s now chief research officer at South Florida-based Digita Security, found another way to bypass these protections with relative ease.
Wardle said the bug stems from an undocumented whitelist of approved macOS apps allowed to create synthetic clicks to prevent them from breaking.
Typically apps are signed with a digital certificate to prove the app is genuine and hasn’t been tampered with.
If the app has been modified to include malware, the certificate usually flags an error and the operating system won’t run the app. But a bug in Apple’s code meant the macOS was only checking if a certificate exists and wasn’t properly verifying the authenticity of the whitelisted app.
The only thing Apple is doing is validating the application is signed by who they think it was signed by, he said in a published report. Because macOS wasn’t checking to see if the application had been modified or manipulated, a manipulated version of a whitelisted app could be exploited to trigger a synthetic click.
One of those approved apps is VLC, an open-source video player that allows plugins and other extensions. Wardle said it was possible to use VLC as a delivery vehicle for a malicious plugin to create a synthetic click on a consent prompt without the user’s permission.
Wardle said in the report he dropped in a new plugin and then VLC loads it, and because VLC loads plugins, the malicious plugin can generate a synthetic click. It ends up being allowed because the system sees it is VLC but doesn’t validate the bundle to make sure it is legit.
Wardle said this is a “second stage” attack because the bug already requires an attacker to have access to the computer. But it’s exactly these kinds of situations where malware on a computer tries to click through on a consent box that Apple is trying to prevent, Wardle said.
Wardle told Apple of the bug last week but the company has yet to release a patch. “This isn’t a remote attack so I don’t think this puts a large number of Mac users immediately at risk,” he said.