New MacOS security flaw lets malicious apps steal your Safari browsing history

Vulnerability is not remotely exploitable. Users need to install a malicious app beforehand. Exploitation details have been shared privately with Apple's security team last week.

Safari: Tackling intrusive ads by limiting JavaScript resources Safari engineers want to limit the amount of JavaScript that a website can load.

A bug in a developer API allows malicious apps installed on macOS Mojave to gain access to a normally protected folder from where attackers can extract Safari browsing history data.

Also: Apple macOS Mojave, First Take: Eye-candy and productivity

The bug affects all known macOS Mojave versions and was discovered last week by Jeff Johnson, the developer of the Underpass Mac and iOS app and the StopTheMadness Safari extension.

"On Mojave, certain folders have restricted access that is forbidden by default," Johnson explained the vulnerability in a short blog post last week. "For example, ~/Library/Safari. In [the] Terminal app, you can't even list the contents of that folder."

Johnson says that by default, Mojave provides access to this folder only for a few selected system apps, such as Finder.

"However, I've discovered a way to bypass these protections in Mojave and allow apps to look inside ~/Library/Safari without acquiring any permission from the system or from the user," the developer said.

"There are no permission dialogs, It Just Works.™ In this way, a malware app could secretly violate a user's privacy by examining their web browsing history."

Speaking to ZDNet via Twitter, Johnson described the source of the bug only as "a bug in a developer API." He refused to share any other details on the premise that the issue has yet to be patched and he doesn't want to put macOS users at risk.

Johnson said he reported the issue to Apple's security team, who has formally acknowledged his report.


Must read


"They said they looked at my report and are investigating," the developer told ZDNet. "This is a standard reply. They usually don't provide any updates once you report an issue to them, so I'm not expecting any more communication from them until they fix it."

"There are no mitigations that I know of," Johnson added. "But it's only exploitable by a malicious app running on your system. There is no remote exploit."

But while Johnson refused to share any other details --for now-- he did point out that the bug he discovered is not related to a trick that Rapid7 security researcher Bob Rudis shared online last week, and presumed is the same one that Johnson also discovered.

"The SSH issue is different from mine," Johnson told ZDNet.

Related stories: