Apple MacOS Mojave zero-day privacy bypass vulnerability revealed

The latest update of the Mac operating system is expected to hit today -- potentially alongside a zero-day bug which circumvents OS privacy controls.
Written by Charlie Osborne, Contributing Writer

A zero-day vulnerability in Apple Mojave has been disclosed on the day the latest version of the MacOS operating system leaves beta and becomes available to members of the public.

The co-founder of Digita Security and creator of Objective-See Mac security tools Patrick Wardle revealed the security holes on Monday.

Tech Pro Research: macOS Mojave: A guide for IT leaders

On Monday, Wardle said on Twitter, "Mojave's 'dark mode' is gorgeous...but its promises about improved privacy protections? kinda #FakeNews."


A minute-long video uploaded to Vimeo shows the vulnerability in action.

The clip shows how an app can be used to compromise the Mac operating system, bypassing privacy controls and permitting access to a user's address book.

This information, containing contacts for demo purposes, was then copied to the machine's desktop.

Speaking to Bleeping Computer, Wardle said it was possible to use an app without any privileges to exploit the zero-day flaw due to how Apple has "implemented the protections for various privacy-related data."

The researcher, furthermore, described the vulnerability as a "trivial, albeit 100 percent reliable flaw in their implementation."

However, the zero-day flaw does not affect all of the new operating system's privacy features.

See also: How easy is it to break the new Apple iPhone XS and iPhone XS Max?

There are few technical details available relating to the zero-day vulnerability, which is expected due to the date of release and the need to give Apple time to resolve the flaw while keeping users safe from exploit due to public proof-of-concept (PoC) releases or the release of information that attackers can use to exploit the bug.

A detailed explanation of the security flaw will be taking place in November at the security researcher's Objective by the Sea conference.

Wardle says on Twitter that he attempted to contact the iPad and iPhone maker's security team but was unsuccessful in doing so.

CNET: iPhone XS drop test: This phone would not crack

In August, Wardle revealed the existence of CVE-2017-7150, a bug impacting modern versions of Apple macOS software before version 10.13. it was found that synthetic events could be abused to compromise the full operating system.

ZDNet has reached out to Apple and will update if we hear back.

Simple steps to erase your digital footprint

Previous and related coverage

Editorial standards