A bug in a developer API allows malicious apps installed on macOS Mojave to gain access to a normally protected folder from where attackers can extract Safari browsing history data.
The bug affects all known macOS Mojave versions and was discovered last week by Jeff Johnson, the developer of the Underpass Mac and iOS app and the StopTheMadness Safari extension.
"On Mojave, certain folders have restricted access that is forbidden by default," Johnson explained the vulnerability in a short blog post last week. "For example, ~/Library/Safari. In [the] Terminal app, you can't even list the contents of that folder."
Johnson says that by default, Mojave provides access to this folder only for a few selected system apps, such as Finder.
"However, I've discovered a way to bypass these protections in Mojave and allow apps to look inside ~/Library/Safari without acquiring any permission from the system or from the user," the developer said.
"There are no permission dialogs, It Just Works.™ In this way, a malware app could secretly violate a user's privacy by examining their web browsing history."
Speaking to ZDNet via Twitter, Johnson described the source of the bug only as "a bug in a developer API." He refused to share any other details on the premise that the issue has yet to be patched and he doesn't want to put macOS users at risk.
Johnson said he reported the issue to Apple's security team, who has formally acknowledged his report.
- KeySteal exploit attacks MacOS keychain (CNET)
- 5 tips to make macOS more efficient on the go (TechRepublic)
- Best Presidents' Day 2019 sales
"They said they looked at my report and are investigating," the developer told ZDNet. "This is a standard reply. They usually don't provide any updates once you report an issue to them, so I'm not expecting any more communication from them until they fix it."
"There are no mitigations that I know of," Johnson added. "But it's only exploitable by a malicious app running on your system. There is no remote exploit."
But while Johnson refused to share any other details --for now-- he did point out that the bug he discovered is not related to a trick that Rapid7 security researcher Bob Rudis shared online last week, and presumed is the same one that Johnson also discovered.
"The SSH issue is different from mine," Johnson told ZDNet.
- Microsoft February Patch Tuesday fixes 77 security flaws, including IE zero-day
- Dirty Sock vulnerability lets attackers gain root access on Linux systems
- Microsoft: 70 percent of all security bugs are memory safety issues
- WordPress plugin flaw lets you take over entire sites
- Microsoft: Improved security features delay hackers from attacking Windows users
- Researchers hide malware in Intel SGX enclaves
- Google wants to pay you $15,000 to improve cloud security TechRepublic
- KRACK attack: Here's how companies are responding CNET